.github/dependabot.yml: enforce dependency cooldown

alanorth · alanorth · commit f4417bc849a3 · 2025-11-24T10:57:17.000+03:00
Mitigate some classes of supply chain attacks by delaying updates of our dependencies by seven days from their initial release. See: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -15,6 +15,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together some upgrades in a single PR
@@ -136,6 +140,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together some upgrades in a single PR
@@ -257,6 +265,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together some upgrades in a single PR
@@ -378,6 +390,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together some upgrades in a single PR
