From b11d8132ddb178837bace8ff9bdd4a11447644c1 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Fri, 21 Nov 2025 14:05:26 -0500 Subject: [PATCH] chore: add dependabot cooldown (#1302) * chore: add dependabot cooldown One of the things I need to worry about with Anubis is the idea that could pwn a dependency and then get malicious code into prod without realizing it, a-la Jia Tan. Given that Anubis relies on tools like Dependabot to manage updating dependencies (good for other reasons), it makes sense to have Dependabot have a 7 day cooldown for new versions of dependencies. This follows the advice from Yossarian on their blog at [1]. Thanks for the post and easy to copy/paste snippets! [1]: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns Signed-off-by: Xe Iaso * chore: update spelling Signed-off-by: Xe Iaso --------- Signed-off-by: Xe Iaso --- .github/actions/spelling/allow.txt | 1 + .github/dependabot.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt index 7f72277..5d480d1 100644 --- a/.github/actions/spelling/allow.txt +++ b/.github/actions/spelling/allow.txt @@ -10,3 +10,4 @@ ABee tencent maintnotifications azurediamond +cooldown diff --git a/.github/dependabot.yml b/.github/dependabot.yml index dbe7232..8ab34f7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,8 @@ updates: github-actions: patterns: - "*" + cooldown: + default-days: 7 - package-ecosystem: gomod directory: / @@ -17,6 +19,8 @@ updates: gomod: patterns: - "*" + cooldown: + default-days: 7 - package-ecosystem: npm directory: / @@ -26,3 +30,5 @@ updates: npm: patterns: - "*" + cooldown: + default-days: 7