Skip to content

chore: add dependabot cooldown#1302

Merged
Xe merged 2 commits intomainfrom
Xe/dependabot-cooldown
Nov 21, 2025
Merged

chore: add dependabot cooldown#1302
Xe merged 2 commits intomainfrom
Xe/dependabot-cooldown

Conversation

@Xe
Copy link
Copy Markdown
Contributor

@Xe Xe commented Nov 21, 2025

One of the things I need to worry about with Anubis is the idea that could pwn a dependency and then get malicious code into prod without realizing it, a-la Jia Tan. Given that Anubis relies on tools like Dependabot to manage updating dependencies (good for other reasons), it makes sense to have Dependabot have a 7 day cooldown for new versions of dependencies.

This follows the advice from Yossarian on their blog at 1. Thanks for the post and easy to copy/paste snippets!

Checklist:

  • Added a description of the changes to the [Unreleased] section of docs/docs/CHANGELOG.md
  • Added test cases to the relevant parts of the codebase
  • Ran integration tests npm run test:integration (unsupported on Windows, please use WSL)
  • All of my commits have verified signatures

One of the things I need to worry about with Anubis is the idea that
could pwn a dependency and then get malicious code into prod without
realizing it, a-la Jia Tan. Given that Anubis relies on tools like
Dependabot to manage updating dependencies (good for other reasons),
it makes sense to have Dependabot have a 7 day cooldown for new
versions of dependencies.

This follows the advice from Yossarian on their blog at [1]. Thanks
for the post and easy to copy/paste snippets!

[1]: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

Signed-off-by: Xe Iaso <me@xeiaso.net>
@Xe Xe self-assigned this Nov 21, 2025
@Xe Xe enabled auto-merge (squash) November 21, 2025 18:59
Comment thread .github/dependabot.yml Fixed
Comment thread .github/dependabot.yml Fixed
Comment thread .github/dependabot.yml Fixed
@Xe Xe disabled auto-merge November 21, 2025 19:00
Signed-off-by: Xe Iaso <me@xeiaso.net>
@Xe Xe enabled auto-merge (squash) November 21, 2025 19:04
@Xe Xe merged commit b11d813 into main Nov 21, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants