Files
fizzy/.github/dependabot.yml
T
Rosa Gutierrez 2352f30b61 Adopt a cooldown period for dependency updates
As suggested by @flavorjones, and explained in:
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

This applies:
- 7 days as default: from the article, a 7-day
cooldown would have prevented 8 out of 10 recent
supply chain attacks. It seems reasonably long
but not crazy long.
- 14 days for major versions, to give some time
to the community to find problems.
2025-12-08 20:05:03 +01:00

34 lines
720 B
YAML

version: 2
registries:
github-basecamp:
type: git
url: https://github.com
username: x-access-token
password: ${{secrets.GH_TOKEN}}
updates:
- package-ecosystem: bundler
registries:
- github-basecamp
directory: "/"
insecure-external-code-execution: allow
open-pull-requests-limit: 10
vendor: false
groups:
development-dependencies:
dependency-type: "development"
schedule:
interval: weekly
cooldown:
default-days: 7
semver-major-days: 14
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 10
cooldown:
default-days: 7
semver-major-days: 14