chore(deps): add cooldown for NPM and GH Actions to reduce supply chain attack risk (#7685)

- Monthly/weekly update frequency reduces the window of exposure but the addition of a cooldown should help narrow it further.
- Implemented as suggested in this gist: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104
- I've opted to use the more conservative 3-day cooldown as this is the default in some tools.
- Dependabot needs to be adjusted in combination with .npmrc to avoid creating PRs that can't succeed.

Ref.
https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
This commit is contained in:
Corey Newton 2026-05-20 02:50:30 -07:00 committed by GitHub
parent afe3514818
commit 441952f0ed
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 5 additions and 2 deletions

View file

@ -13,7 +13,8 @@ updates:
day: 'monday'
time: '09:00'
timezone: 'Europe/Berlin'
cooldown:
default-days: 3
open-pull-requests-limit: 10
reviewers:
@ -38,7 +39,8 @@ updates:
day: 'monday'
time: '09:00'
timezone: 'Europe/Berlin'
cooldown:
default-days: 3
# Limit concurrent PRs to avoid overwhelming maintainers
open-pull-requests-limit: 5

1
.npmrc
View file

@ -1 +1,2 @@
registry=https://registry.npmjs.org/
min-release-age=3