From 441952f0ed5178d8427afb149ef5965123ef2cce Mon Sep 17 00:00:00 2001 From: Corey Newton Date: Wed, 20 May 2026 02:50:30 -0700 Subject: [PATCH] chore(deps): add cooldown for NPM and GH Actions to reduce supply chain attack risk (#7685) - Monthly/weekly update frequency reduces the window of exposure but the addition of a cooldown should help narrow it further. - Implemented as suggested in this gist: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104 - I've opted to use the more conservative 3-day cooldown as this is the default in some tools. - Dependabot needs to be adjusted in combination with .npmrc to avoid creating PRs that can't succeed. Ref. https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown- --- .github/dependabot.yml | 6 ++++-- .npmrc | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d3ac9c91b8..f2378cfedd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,7 +13,8 @@ updates: day: 'monday' time: '09:00' timezone: 'Europe/Berlin' - + cooldown: + default-days: 3 open-pull-requests-limit: 10 reviewers: @@ -38,7 +39,8 @@ updates: day: 'monday' time: '09:00' timezone: 'Europe/Berlin' - + cooldown: + default-days: 3 # Limit concurrent PRs to avoid overwhelming maintainers open-pull-requests-limit: 5 diff --git a/.npmrc b/.npmrc index 214c29d139..1bd59b7622 100644 --- a/.npmrc +++ b/.npmrc @@ -1 +1,2 @@ registry=https://registry.npmjs.org/ +min-release-age=3 \ No newline at end of file