chore: add dependabot cooldown (#1302)

* chore: add dependabot cooldown

One of the things I need to worry about with Anubis is the idea that
could pwn a dependency and then get malicious code into prod without
realizing it, a-la Jia Tan. Given that Anubis relies on tools like
Dependabot to manage updating dependencies (good for other reasons),
it makes sense to have Dependabot have a 7 day cooldown for new
versions of dependencies.

This follows the advice from Yossarian on their blog at [1]. Thanks
for the post and easy to copy/paste snippets!

[1]: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

Signed-off-by: Xe Iaso <me@xeiaso.net>

* chore: update spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>

This commit is contained in:

Xe Iaso

2025-11-21 14:05:26 -05:00

• committed by

GitHub

parent f032d5d0ac

commit b11d8132dd

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

2 changed files with 7 additions and 0 deletions

1

.github/actions/spelling/allow.txt vendored

View file

 @ -10,3 +10,4 @@ ABee
 tencent
 maintnotifications
 azurediamond
 cooldown

Rows
Columns

chore: add dependabot cooldown (#1302)

1 .github/actions/spelling/allow.txt vendored Unescape Escape View file

1

.github/actions/spelling/allow.txt vendored

View file