Skip to content

chore: disable automated dependency updater config [incident-51602]#8364

Merged
bouwkast merged 3 commits intomasterfrom
disable-dep-updaters-incident-51602
Mar 24, 2026
Merged

chore: disable automated dependency updater config [incident-51602]#8364
bouwkast merged 3 commits intomasterfrom
disable-dep-updaters-incident-51602

Conversation

@moezein0
Copy link
Contributor

@moezein0 moezein0 commented Mar 24, 2026

As part of #incident-51602, we are temporarily disabling all automated dependency updaters to reduce exposure to potential zero-day vulnerabilities in recent releases.

This PR disables the Dependabot/Renovate configuration not managed by ADMS by commenting out (YAML) or renaming (JSON) the config file. Please do not re-enable until further notice.

@moezein0 moezein0 requested a review from a team as a code owner March 24, 2026 20:14
@github-actions github-actions bot added the area:builds project files, build scripts, pipelines, versioning, releases, packages label Mar 24, 2026
bouwkast
bouwkast requested changes Mar 24, 2026
View reviewed changes
Copy link
Collaborator

@bouwkast bouwkast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of issues

minor: commits need to be signed

larger: this isn't all of our automated package updates, if the intention is to disable all automated dependency updates it will need to be much more expansive than just this.

If so, I'd suggest one of the dd-trace-dotnet maintainers to take this

@moezein0
Copy link
Contributor Author

moezein0 commented Mar 24, 2026

@bouwkast these all claude generated, will re-run th workflow on these PRs to sign the commits.

larger: this isn't all of our automated package updates, if the intention is to disable all automated dependency updates it will need to be much more expansive than just this.

Can you share more details on this? What else do we need to disable?

@bouwkast bouwkast force-pushed the disable-dep-updaters-incident-51602 branch from efcf1a0 to 71ae961 Compare March 24, 2026 20:42
@bouwkast bouwkast self-requested a review March 24, 2026 20:42
@pr-commenter
Copy link

pr-commenter bot commented Mar 24, 2026

Benchmarks

Benchmark execution time: 2026-03-24 21:28:03

Comparing candidate commit 71ae961 in PR branch disable-dep-updaters-incident-51602 with baseline commit 1bb5b79 in branch master.

Found 7 performance improvements and 12 performance regressions! Performance is the same for 255 metrics, 14 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

scenario:Benchmarks.Trace.AgentWriterBenchmark.WriteAndFlushEnrichedTraces netcoreapp3.1

  • 🟩 execution_time [-90.406ms; -89.537ms] or [-44.758%; -44.328%]

scenario:Benchmarks.Trace.Asm.AppSecBodyBenchmark.ObjectExtractorMoreComplexBody net6.0

  • 🟥 execution_time [+10.153ms; +15.742ms] or [+5.078%; +7.872%]

scenario:Benchmarks.Trace.Asm.AppSecBodyBenchmark.ObjectExtractorSimpleBody net6.0

  • 🟥 execution_time [+18.956ms; +23.568ms] or [+9.638%; +11.983%]

scenario:Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark.WriteAndFlushEnrichedTraces net472

  • 🟩 execution_time [-41.539ms; -35.588ms] or [-17.936%; -15.367%]

scenario:Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark.WriteAndFlushEnrichedTraces net6.0

  • 🟥 throughput [-198.422op/s; -116.899op/s] or [-12.377%; -7.292%]

scenario:Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark.WriteAndFlushEnrichedTraces netcoreapp3.1

  • 🟥 execution_time [+65.332ms; +69.006ms] or [+41.459%; +43.791%]

scenario:Benchmarks.Trace.CharSliceBenchmark.OptimizedCharSlice net6.0

  • 🟥 execution_time [+92.562µs; +102.958µs] or [+6.662%; +7.410%]
  • 🟥 throughput [-49.773op/s; -44.836op/s] or [-6.915%; -6.229%]

scenario:Benchmarks.Trace.CharSliceBenchmark.OriginalCharSlice net472

  • 🟥 execution_time [+149.820µs; +154.567µs] or [+5.869%; +6.055%]
  • 🟥 throughput [-22.379op/s; -21.703op/s] or [-5.713%; -5.540%]

scenario:Benchmarks.Trace.ElasticsearchBenchmark.CallElasticsearchAsync net6.0

  • 🟥 throughput [-64375.079op/s; -51619.122op/s] or [-10.286%; -8.248%]

scenario:Benchmarks.Trace.GraphQLBenchmark.ExecuteAsync net6.0

  • 🟩 throughput [+27603.848op/s; +37046.739op/s] or [+5.509%; +7.393%]

scenario:Benchmarks.Trace.ILoggerBenchmark.EnrichedLog netcoreapp3.1

  • 🟩 throughput [+16117.720op/s; +23932.683op/s] or [+6.149%; +9.131%]

scenario:Benchmarks.Trace.Iast.StringAspectsBenchmark.StringConcatAspectBenchmark net6.0

  • 🟥 allocated_mem [+15.881KB; +15.917KB] or [+6.170%; +6.184%]

scenario:Benchmarks.Trace.Log4netBenchmark.EnrichedLog netcoreapp3.1

  • 🟩 execution_time [-29.227ms; -26.905ms] or [-14.618%; -13.457%]

scenario:Benchmarks.Trace.SerilogBenchmark.EnrichedLog netcoreapp3.1

  • 🟥 throughput [-11703.545op/s; -10030.998op/s] or [-6.604%; -5.660%]

scenario:Benchmarks.Trace.SpanBenchmark.StartFinishSpan net6.0

  • 🟩 execution_time [-25.990ms; -20.542ms] or [-11.880%; -9.390%]

scenario:Benchmarks.Trace.TraceAnnotationsBenchmark.RunOnMethodBegin net472

  • 🟩 throughput [+44288.458op/s; +50806.821op/s] or [+6.555%; +7.520%]

scenario:Benchmarks.Trace.TraceAnnotationsBenchmark.RunOnMethodBegin net6.0

  • 🟥 execution_time [+14.904ms; +20.021ms] or [+7.479%; +10.046%]

@bouwkast bouwkast merged commit 6aadb93 into master Mar 24, 2026
100 of 103 checks passed
@bouwkast bouwkast deleted the disable-dep-updaters-incident-51602 branch March 24, 2026 22:33
@github-actions github-actions bot added this to the vNext-v3 milestone Mar 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bouwkast bouwkast bouwkast approved these changes

Assignees

No one assigned

Labels

area:builds project files, build scripts, pipelines, versioning, releases, packages

Projects

None yet

Milestone

vNext-v3

Development

Successfully merging this pull request may close these issues.

2 participants

@moezein0 @bouwkast