chore: add dependabot cooldown (#1302)
* chore: add dependabot cooldown One of the things I need to worry about with Anubis is the idea that could pwn a dependency and then get malicious code into prod without realizing it, a-la Jia Tan. Given that Anubis relies on tools like Dependabot to manage updating dependencies (good for other reasons), it makes sense to have Dependabot have a 7 day cooldown for new versions of dependencies. This follows the advice from Yossarian on their blog at [1]. Thanks for the post and easy to copy/paste snippets! [1]: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: update spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
parent
f032d5d0ac
commit
b11d8132dd
2 changed files with 7 additions and 0 deletions
1
.github/actions/spelling/allow.txt
vendored
1
.github/actions/spelling/allow.txt
vendored
|
|
@ -10,3 +10,4 @@ ABee
|
||||||
tencent
|
tencent
|
||||||
maintnotifications
|
maintnotifications
|
||||||
azurediamond
|
azurediamond
|
||||||
|
cooldown
|
||||||
|
|
|
||||||
6
.github/dependabot.yml
vendored
6
.github/dependabot.yml
vendored
|
|
@ -8,6 +8,8 @@ updates:
|
||||||
github-actions:
|
github-actions:
|
||||||
patterns:
|
patterns:
|
||||||
- "*"
|
- "*"
|
||||||
|
cooldown:
|
||||||
|
default-days: 7
|
||||||
|
|
||||||
- package-ecosystem: gomod
|
- package-ecosystem: gomod
|
||||||
directory: /
|
directory: /
|
||||||
|
|
@ -17,6 +19,8 @@ updates:
|
||||||
gomod:
|
gomod:
|
||||||
patterns:
|
patterns:
|
||||||
- "*"
|
- "*"
|
||||||
|
cooldown:
|
||||||
|
default-days: 7
|
||||||
|
|
||||||
- package-ecosystem: npm
|
- package-ecosystem: npm
|
||||||
directory: /
|
directory: /
|
||||||
|
|
@ -26,3 +30,5 @@ updates:
|
||||||
npm:
|
npm:
|
||||||
patterns:
|
patterns:
|
||||||
- "*"
|
- "*"
|
||||||
|
cooldown:
|
||||||
|
default-days: 7
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue