kaslo/synapse
1
0
Fork 0
Code Packages Releases 124 Wiki Activity

Add a 14-day cooldown for dependency updates (#19258)

Browse Source
This commit is contained in:
Andrew Morgan
2025-12-02 16:45:28 +00:00
committed by GitHub
parent 2862c77837
commit ffd0b4c079
2 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
.github/dependabot.yml vendored
View File

@@ -5,19 +5,35 @@ updates:
directory: "/" directory: "/"
schedule: schedule:
interval: "weekly" interval: "weekly"
# Prevent pulling packages that were recently updated to help mitigate
# supply chain attacks. 14 days was taken from the recommendation at
# https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
# where the author noted that 9/10 attacks would have been mitigated by a
# two week cooldown.
#
# The cooldown only applies to general updates; security updates will still
# be pulled in as soon as possible.
cooldown:
default-days: 14
- package-ecosystem: "docker" - package-ecosystem: "docker"
directory: "/docker" directory: "/docker"
schedule: schedule:
interval: "weekly" interval: "weekly"
cooldown:
default-days: 14
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directory: "/" directory: "/"
schedule: schedule:
interval: "weekly" interval: "weekly"
cooldown:
default-days: 14
- package-ecosystem: "cargo" - package-ecosystem: "cargo"
directory: "/" directory: "/"
versioning-strategy: "lockfile-only" versioning-strategy: "lockfile-only"
schedule: schedule:
interval: "weekly" interval: "weekly"
cooldown:
default-days: 14

1
changelog.d/19258.misc Normal file
View File

@@ -0,0 +1 @@
Require 14 days to pass before pulling in general dependency updates to help mitigate upstream supply chain attacks.