Add a 14-day cooldown for dependency updates (#19258)

2025-12-05 01:10:13 +00:00 · 2025-12-02 16:45:28 +00:00
parent 2862c77837
commit ffd0b4c079
2 changed files with 17 additions and 0 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,19 +5,35 @@ updates:
    directory: "/"
    schedule:
      interval: "weekly"
+    # Prevent pulling packages that were recently updated to help mitigate
+    # supply chain attacks. 14 days was taken from the recommendation at
+    # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+    # where the author noted that 9/10 attacks would have been mitigated by a
+    # two week cooldown.
+    #
+    # The cooldown only applies to general updates; security updates will still
+    # be pulled in as soon as possible.
+    cooldown:
+      default-days: 14

  - package-ecosystem: "docker"
    directory: "/docker"
    schedule:
      interval: "weekly"
+    cooldown:
+      default-days: 14

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
+    cooldown:
+      default-days: 14

  - package-ecosystem: "cargo"
    directory: "/"
    versioning-strategy: "lockfile-only"
    schedule:
      interval: "weekly"
+    cooldown:
+      default-days: 14
--- a/changelog.d/19258.misc
+++ b/changelog.d/19258.misc
@@ -0,0 +1 @@
+Require 14 days to pass before pulling in general dependency updates to help mitigate upstream supply chain attacks.
				`@@ -0,0 +1 @@`
				`Require 14 days to pass before pulling in general dependency updates to help mitigate upstream supply chain attacks.`