From 2352f30b614a5e2a09a8dc6aefb8a36742f6ff12 Mon Sep 17 00:00:00 2001 From: Rosa Gutierrez Date: Mon, 8 Dec 2025 20:05:03 +0100 Subject: [PATCH] Adopt a cooldown period for dependency updates As suggested by @flavorjones, and explained in: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns This applies: - 7 days as default: from the article, a 7-day cooldown would have prevented 8 out of 10 recent supply chain attacks. It seems reasonably long but not crazy long. - 14 days for major versions, to give some time to the community to find problems. --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 86c66c646..f4f755614 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,8 +20,14 @@ updates: dependency-type: "development" schedule: interval: weekly + cooldown: + default-days: 7 + semver-major-days: 14 - package-ecosystem: github-actions directory: "/" schedule: interval: weekly open-pull-requests-limit: 10 + cooldown: + default-days: 7 + semver-major-days: 14