Support dependency-cooldowns / minimum-artifact-age to mitigate short-lived supply chain attacks

[rtyley]

See:

• Dependabot supports configuration of a minimum package age - GitHub Blog, July 2025 - it's now very simple to configure Dependabot with a cooldown time period - a feature we don't yet have in Scala Steward
• We should all be using dependency cooldowns - yossarian, November 2025 - highlights that the attack-window on many open source supply chain attacks is often only a few days - if an artifact is more than a week old, and has not been flagged by a supply chain security vendor, it is more likely to be safe to apply.
• Example attacks on Maven Central artifacts
  • Typosquatting Attack on Jackson : Typosquatted domain fasterxml.org was registered on 17th December 2025, artifact published 19th December, analysed & reported by Aikido Security on 25th December. "...reported the domain to GoDaddy, and the package to Maven Central. The package was taken down within 1.5 hours.". Window of vulnerability: 6 days
  • Typosquatting Attack on Maven & Jenkins plugins - Window of vulnerability: 10 days
  • Typosquatting Attack on scribejava-core - Window of vulnerability: January 2024 to March 2025, over 1 year
  • Note - the above are all typosquatting attacks, so would have not involved a dependency-update tool like Scala Steward - these are essentially new artifacts that are accidentally being manually chosen by devs. But perhaps they can give us some idea of how long malicious artifacts might persist in Maven Central before being spotted. In my cursory googling, I was not actually able to find an example of a malicious Java artifact being published as an update for a legitimate library - let me know when you find one!

For Scala Steward, this issue is a revisit of a few old issues/PRs:

• Time-based delay configuration for new dependencies #1581 - this issue mentioned 2 connected problems: overly-frequent artifact updates from certain publishers (like the AWS SDK, updating daily with tiny, mostly uninteresting, API updates, causing many "expensive, long-running CI builds"), and the more general desire to avoid artifacts that have been very recently published ("sometimes brand new releases get unintentional breaking changes shipped out")
• Wait until currently used dependencies are sufficiently old before updating them #2322 - this was never completed, and closed in favour of:
  • Add granular frequency control by groupId and artifactId #2515 - this allowed users to configure a slower update cadence for overly-frequent publishers like AWS, but just allowed applying the existing pullRequests.frequency logic to more specific artifact groups & ids - not changing the fact that sometimes very new dependencies would be promoted.

Sources of artifact-age data

Unfortunately, Maven does not currently encode a way to tell an artifact's publication date:

https://stackoverflow.com/q/69790966/438886

• Wait until currently used dependencies are sufficiently old before updating them #2322 (comment) - Frank points out that we want an approach that will work for all artifact repositories, not just Maven Central.

Questions

• How do we want to configure this? What should the configuration look like?

GitHub's Dependabot config for comparison

Not implying we'd want to reproduce every option here, just for information:

• https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates#setting-up-a-cooldown-period-for-dependency-updates
• https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-

updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"
    cooldown:
      default-days: 5
      semver-major-days: 30
      semver-minor-days: 7
      semver-patch-days: 3
      include:
        - "requests"
        - "numpy"
        - "pandas*"
        - "django"
      exclude:
        - "pandas"

[ChrisMcD1]

Just wanted to comment that I read that same article, and searched the scala steward repo to see if I could turn on this feature.
Really glad somebody had already started work on it!

[rtyley]

This feature has been released with Scala Steward v0.38.0, thanks to this PR:

• Add dependency-cooldowns / minimum-artifact-age #3762

See this PR as an example of enabling this feature:

• Enable dependency-cooldowns guardian/scala-steward-public-repos#115