Skip to content

Add dependabot.yml for automated weekly updates with cooldown delays #367

New issue
New issue
Open
Open
Add dependabot.yml for automated weekly updates with cooldown delays#367
@Shurtu-gal

Description

@Shurtu-gal
Shurtu-gal
opened on Nov 18, 2025

I'd like to propose distributing a dependabot.yml configuration to improve our dependency update process and strengthen supply-chain security.

We could have a dependabot or another label for maintainers to opt into this.

Why

  • Dependabot keeps dependencies updated automatically.
  • The cooldown field is particularly useful—it adds a delay before Dependabot creates PRs, giving security researchers and maintainers time to assess upstream releases before we pull them in.
  • This delay is valuable for mitigating supply-chain risks, such as those seen in recent npm incidents (e.g., compromised versions of chalk could have affected cli).

Proposed dependabot.yml

version: 2
updates:
  - package-ecosystem: "npm"
    directories:
      - "**/*"
    schedule:
      interval: "weekly"
    cooldown:
      default-days: 3
      semver-major-days: 7
      semver-minor-days: 5

Caution

Our organization uses multiple ecosystems across repositories (e.g., npm, pnpm). Either we can add all package-ecosystem in the same file or just focus on npm. Need some advice on this.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions