Skip to content

Add cooldown for application dependency updates #765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MatMoore merged 1 commit into from
Nov 25, 2025
Merged

Add cooldown for application dependency updates #765

MatMoore merged 1 commit into from
Nov 25, 2025

Conversation

@MatMoore
Copy link
Contributor

@MatMoore MatMoore commented Nov 25, 2025

Description

Dependabot's cooldown function is a protection against supply chain attacks. There have been a lot of these recently against npm.

By waiting a week before pulling new package versions, we are much less likely to be exposed to malicious versions before they are yanked from the package index.

We may wish to tweak this for particular packages, e.g. if they are internally authored. We are already excluding nhsuk-frontend from dependabot so we don't need to worry about that one.

I'm not sure about terraform updates so I've left that alone in this commit. Let me know if I should add it in.

Jira link

N/A

Review notes

Review checklist

  • Check database queries are correctly scoped to current_provider

@MatMoore
add cooldown for application dependency updates
8465c1c 
Dependabot's cooldown function is a protection against supply chain
attacks. There have been a lot of these recently against npm.

By waiting a week before pulling new package versions, we are much
less likely to be exposed to malicious versions before they are yanked
from the package index.

We may wish to tweak this for particular packages, e.g. if they are
internally authored. We are already excluding nhsuk-frontend from
dependabot so we don't need to worry about that one.

I'm not sure about terraform updates so I've left that alone in this
commit.
@malcolmbaig malcolmbaig changed the title add cooldown for application dependency updates Add cooldown for application dependency updates Nov 25, 2025
carlosmartinez
carlosmartinez approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@carlosmartinez carlosmartinez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MatMoore MatMoore merged commit 70b19dc into main Nov 25, 2025
12 checks passed
@MatMoore MatMoore deleted the dependabot-cooldown branch November 25, 2025 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carlosmartinez carlosmartinez carlosmartinez approved these changes

@malcolmbaig malcolmbaig malcolmbaig approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MatMoore @carlosmartinez @malcolmbaig