Skip to content

Add cooldown to dependabot actions #360

Description

@freakboy3742

What is the problem or limitation you are having?

Our dependabot configuration currently upgrades all packages to the most recently available versions at the time of publication. This is a potential vector for supply chain attacks, as there's no window for a malicious release to be identified before it is rolled out. Best practice is to add a cooldown period to dependency updates.

Describe the solution you'd like

We should add a 7 day cooldown to our dependabot configuration.

This has already been done to the beeware/.github dependabot configuration. We should make the analogous change to the dependabot configuration in this repository.

Describe alternatives you've considered

Dependabot recently added a default cooldown. However, the issue will still be identified by zizmor (and other auditing tools); and it's better to be explicit rather than implicit.

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew features, or improvements to existing features.good first issueIs this your first time contributing? This could be a good place to start!

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions