Add dependency-cooldowns / minimum-artifact-age#3762
Open
rtyley wants to merge 1 commit intoscala-steward-org:mainfrom
Open
Add dependency-cooldowns / minimum-artifact-age#3762rtyley wants to merge 1 commit intoscala-steward-org:mainfrom
rtyley wants to merge 1 commit intoscala-steward-org:mainfrom
Conversation
rtyley
force-pushed
the
add-dependency-cooldowns
branch
from
bc0d61f to
f7dc7c0
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3762 +/- ##
=======================================
Coverage 90.02% 90.02%
=======================================
Files 174 175 +1
Lines 5053 5075 +22
Branches 451 464 +13
=======================================
+ Hits 4549 4569 +20
- Misses 504 506 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
emdash-ie
force-pushed
the
add-dependency-cooldowns
branch
from
81ad6e3 to
e7c5545
Compare
mzuehlke
requested changes
Jan 2, 2026
Member
mzuehlke
left a comment
mzuehlke
left a comment
There was a problem hiding this comment.
The test are failing and an addition to the default config to document this feature is still missing.
The feature itself looks good 👍
| storeRoot / keyEncoder(key) / s"$name.json" | ||
| private def jsonFile(key: K): File = { | ||
| val file = storeRoot / keyEncoder(key) / s"$name.json" | ||
| println(s"file is ${file}") |
Contributor
Author
Thanks @mzuehlke - just to be clear, this PR is not yet ready for review, as you've spotted, the tests are still failing and it's not fully implemented - I think @exoego may have set this PR to ready-for-review by mistake! Looking forward to continuing work on the PR soon. |
Contributor
Author
|
Added this small issue that @emdash-ie & I discussed while working on this PR: |
rtyley
force-pushed
the
add-dependency-cooldowns
branch
from
ac218ca to
b8b17c2
Compare
rtyley
added a commit
that referenced
this pull request
Jan 20, 2026
…des()` The needs of the Scala Steward codebase don't require a `withNextVersion()` method on `Update.Single` - just a `supersedes()` method supports the sole use, which is `PullRequestRepository.getObsoleteOpenPullRequests()` needing to know if one `Update` can be replaced by another one. The original `withNewerVersions()` method was added in response to this PR comment: #1667 (comment) ...but we reckon replacing it with a slightly different check of the group and artifact IDs makes for clearer, more explicit code. This small refactor is extracted from #3762 (originally commit a11ee91), making that PR a little smaller!
rtyley
added a commit
that referenced
this pull request
Jan 20, 2026
…des()` The needs of the Scala Steward codebase don't require a `withNextVersion()` method on `Update.Single` - just a `supersedes()` method supports the sole use, which is `PullRequestRepository.getObsoleteOpenPullRequests()` needing to know if one `Update` can be replaced by another one. The original `withNewerVersions()` method was added in response to this PR comment: #1667 (comment) ...but we reckon replacing it with a slightly different check of the group and artifact IDs makes for clearer, more explicit code. This small refactor is extracted from #3762 (originally commit a11ee91), making that PR a little smaller! Co-authored-by: Emily Bourke <emily.bourke@guardian.co.uk>
rtyley
force-pushed
the
add-dependency-cooldowns
branch
from
b8b17c2 to
85d78db
Compare
Contributor
|
|
rtyley
force-pushed
the
add-dependency-cooldowns
branch
2 times, most recently
from
dd51967 to
fbfc634
Compare
rtyley
force-pushed
the
add-dependency-cooldowns
branch
9 times, most recently
from
621ed6f to
08aab73
Compare
rtyley
force-pushed
the
add-dependency-cooldowns
branch
2 times, most recently
from
ca4449e to
77ffaf1
Compare
rtyley
commented
Jan 29, 2026
| final case class MatchResult( | ||
| byArtifactId: List[UpdatePattern], | ||
| filteredVersions: List[Version] | ||
| filteredVersions: Set[Version] |
Contributor
Author
There was a problem hiding this comment.
This becomes a Set because it gives better performance on checking if a version was in there, and no remaining consuming code was relying on the ordering.
This PR adds a new `updates.cooldown` config option to allow configuring Scala Steward to defer suggesting an update to a new version of a dependency, until that version has survived a 'cooldown' period (eg 7 days). This intended to be useful to users who want to reduce the risk of updating to a malicious new version of a dependency before it's been examined by their supply-chain security vendor, addressing: * scala-steward-org#3757 Note that applying a cooldown does not necessarily mean that you will get _fewer_ updates - just that any update offered will be at least as old as specified. Artifacts that are too recent will get rejected with a `TooRecentForCooldown` rejection reason. ## Internal changes * `VersionsCache` now persists `VersionWithFirstSeen` rather than `Version`, allowing us to record when a new version was first seen by this Scala Steward instance (the only simple & reliable way to find out how old a Maven artifact is!). We've added `VersionsCacheTest` to ensure we can still decode both old and new versions of the cache data. ## Config ``` updates.cooldown = { minimumAge: "7 days" } ``` Co-authored-by: Roberto Tyley <roberto.tyley@guardian.co.uk>
rtyley
force-pushed
the
add-dependency-cooldowns
branch
from
77ffaf1 to
8b69e83
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@emdash-ie & myself (@rtyley) are co-authors of this work.
This PR adds a new
updates.cooldownconfig option to allow configuring Scala Steward to defer suggesting an update to a new version of a dependency, until that version has survived a 'cooldown' period (eg 7 days).This intended to be useful to users who want to reduce the risk of updating to a malicious new version of a dependency before it's been examined by their supply-chain security vendor, addressing:
Note that applying a cooldown does not necessarily mean that you will get fewer updates - just that any update offered will be at least as old as specified.
Artifacts that are too recent will get rejected with a
TooRecentForCooldownrejection reason.Internal changes
VersionsCachenow persistsVersionWithFirstSeenrather thanVersion, allowing us to record when a new version was first seen by this Scala Steward instance (the only simple & reliable way to find out how old a Maven artifact is!). We've addedVersionsCacheTestto ensure we can still decode both old and new versions of the cache data.ArtifactUpdateCandidatesnewerVersionsWithFirstSeen: Nel[VersionWithFirstSeen], so that the candidate versions can be evaluated by age.filterVersions()&filterVersionsWithFirstSeen(), which filter the versions of the update and return anOption[ArtifactUpdateCandidates], with a value ofNoneif no versions are left - this extracts that logic from several places in the Scala Steward codebase (isAllowed,isPinned,isIgnored&scalaLTSFilter)Config
Right now there's a simple single value that can be configured - this is the cooldown period for all artifacts:
Future config
Later on, in a subsequent PR, we might allow syntax like this, for example stating that we want all Guardian updates promptly, but all other artifacts only once they're 7 days old: