b11d8132dd
* chore: add dependabot cooldown One of the things I need to worry about with Anubis is the idea that could pwn a dependency and then get malicious code into prod without realizing it, a-la Jia Tan. Given that Anubis relies on tools like Dependabot to manage updating dependencies (good for other reasons), it makes sense to have Dependabot have a 7 day cooldown for new versions of dependencies. This follows the advice from Yossarian on their blog at [1]. Thanks for the post and easy to copy/paste snippets! [1]: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: update spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
34 lines
570 B
YAML
34 lines
570 B
YAML
version: 2
|
|
updates:
|
|
- package-ecosystem: github-actions
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
groups:
|
|
github-actions:
|
|
patterns:
|
|
- "*"
|
|
cooldown:
|
|
default-days: 7
|
|
|
|
- package-ecosystem: gomod
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
groups:
|
|
gomod:
|
|
patterns:
|
|
- "*"
|
|
cooldown:
|
|
default-days: 7
|
|
|
|
- package-ecosystem: npm
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
groups:
|
|
npm:
|
|
patterns:
|
|
- "*"
|
|
cooldown:
|
|
default-days: 7
|