mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-07-17 16:37:43 +00:00
chore(deps): add cooldown for NPM and GH Actions to reduce supply chain attack risk (#7685)
- Monthly/weekly update frequency reduces the window of exposure but the addition of a cooldown should help narrow it further. - Implemented as suggested in this gist: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104 - I've opted to use the more conservative 3-day cooldown as this is the default in some tools. - Dependabot needs to be adjusted in combination with .npmrc to avoid creating PRs that can't succeed. Ref. https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
This commit is contained in:
parent
afe3514818
commit
441952f0ed
2 changed files with 5 additions and 2 deletions
6
.github/dependabot.yml
vendored
6
.github/dependabot.yml
vendored
|
|
@ -13,7 +13,8 @@ updates:
|
|||
day: 'monday'
|
||||
time: '09:00'
|
||||
timezone: 'Europe/Berlin'
|
||||
|
||||
cooldown:
|
||||
default-days: 3
|
||||
open-pull-requests-limit: 10
|
||||
|
||||
reviewers:
|
||||
|
|
@ -38,7 +39,8 @@ updates:
|
|||
day: 'monday'
|
||||
time: '09:00'
|
||||
timezone: 'Europe/Berlin'
|
||||
|
||||
cooldown:
|
||||
default-days: 3
|
||||
# Limit concurrent PRs to avoid overwhelming maintainers
|
||||
open-pull-requests-limit: 5
|
||||
|
||||
|
|
|
|||
1
.npmrc
1
.npmrc
|
|
@ -1 +1,2 @@
|
|||
registry=https://registry.npmjs.org/
|
||||
min-release-age=3
|
||||
Loading…
Add table
Add a link
Reference in a new issue