Adopt 7 day cooldown before upgrading dependencies

plemarquand · plemarquand · commit aa025a66db6d · 2025-11-21T14:32:07.000-05:00
In an effort to reduce the risk of a supply chain attack, add a 7 day cooldown between when a new version of a dependency is released and when Dependabot creates a PR upgrating to it. Most malicious packages are detected by package vendors (in our case, NPM) relatively quickly. The damage is done in the window between when a malicious package is released, and when it is identified and taken down. By adding a cooldown we narrow the window where a malicious package can be introduced, and hopefully within 7 days this window shrinks to zero and we have no potential exposure at all. At minimum this cooldown shrinks the window we're vulnerable. For a more detailed explanation of how this helps, see: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5
     allow:
       - dependency-type: direct
