What is the problem or limitation you are having?
Our dependabot configuration currently upgrades all packages to the most recently available versions at the time of publication. This is a potential vector for supply chain attacks, as there's no window for a malicious release to be identified before it is rolled out. Best practice is to add a coolodown period to dependency updates.
Describe the solution you'd like
We should add a 7 day cooldown to our dependabot configuration.
This has already been done to the beeware/.github dependabot configuration. We should make the analogous change to the dependabot configuration in this repository.
Describe alternatives you've considered
Dependabot recently added a default cooldown. However, the issue will still be identified by zizmor (and other auditing tools); and it's better to be explicit rather than implicit.
Additional context
What is the problem or limitation you are having?
Our dependabot configuration currently upgrades all packages to the most recently available versions at the time of publication. This is a potential vector for supply chain attacks, as there's no window for a malicious release to be identified before it is rolled out. Best practice is to add a coolodown period to dependency updates.
Describe the solution you'd like
We should add a 7 day cooldown to our dependabot configuration.
This has already been done to the
beeware/.githubdependabot configuration. We should make the analogous change to the dependabot configuration in this repository.Describe alternatives you've considered
Dependabot recently added a default cooldown. However, the issue will still be identified by zizmor (and other auditing tools); and it's better to be explicit rather than implicit.
Additional context