2352f30b61
As suggested by @flavorjones, and explained in: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns This applies: - 7 days as default: from the article, a 7-day cooldown would have prevented 8 out of 10 recent supply chain attacks. It seems reasonably long but not crazy long. - 14 days for major versions, to give some time to the community to find problems.
34 lines
720 B
YAML
34 lines
720 B
YAML
version: 2
|
|
|
|
registries:
|
|
github-basecamp:
|
|
type: git
|
|
url: https://github.com
|
|
username: x-access-token
|
|
password: ${{secrets.GH_TOKEN}}
|
|
|
|
updates:
|
|
- package-ecosystem: bundler
|
|
registries:
|
|
- github-basecamp
|
|
directory: "/"
|
|
insecure-external-code-execution: allow
|
|
open-pull-requests-limit: 10
|
|
vendor: false
|
|
groups:
|
|
development-dependencies:
|
|
dependency-type: "development"
|
|
schedule:
|
|
interval: weekly
|
|
cooldown:
|
|
default-days: 7
|
|
semver-major-days: 14
|
|
- package-ecosystem: github-actions
|
|
directory: "/"
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 10
|
|
cooldown:
|
|
default-days: 7
|
|
semver-major-days: 14
|