sophie/nuke
1
0
Fork 0
Code Packages 1 Activity Actions

chore: add dependabot cooldown (#1302)

Browse source 
* chore: add dependabot cooldown

One of the things I need to worry about with Anubis is the idea that
could pwn a dependency and then get malicious code into prod without
realizing it, a-la Jia Tan. Given that Anubis relies on tools like
Dependabot to manage updating dependencies (good for other reasons),
it makes sense to have Dependabot have a 7 day cooldown for new
versions of dependencies.

This follows the advice from Yossarian on their blog at [1]. Thanks
for the post and easy to copy/paste snippets!

[1]: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

Signed-off-by: Xe Iaso <me@xeiaso.net>

* chore: update spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
Xe Iaso 2025-11-21 14:05:26 -05:00 committed by GitHub
parent f032d5d0ac
commit b11d8132dd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.github/actions/spelling/allow.txt vendored
View file

@ -10,3 +10,4 @@ ABee
tencent tencent
maintnotifications maintnotifications
azurediamond azurediamond
cooldown

6
.github/dependabot.yml vendored
View file

@ -8,6 +8,8 @@ updates:
github-actions: github-actions:
patterns: patterns:
- "*" - "*"
cooldown:
default-days: 7
- package-ecosystem: gomod - package-ecosystem: gomod
directory: / directory: /
@ -17,6 +19,8 @@ updates:
gomod: gomod:
patterns: patterns:
- "*" - "*"
cooldown:
default-days: 7
- package-ecosystem: npm - package-ecosystem: npm
directory: / directory: /
@ -26,3 +30,5 @@ updates:
npm: npm:
patterns: patterns:
- "*" - "*"
cooldown:
default-days: 7