Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-08 06:10:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

[security] Add a cooldown period to dependabot (GH-141866)

Browse source 
See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns and the description in the comment.
This commit is contained in:
Gregory P. Smith 2025-11-23 01:34:48 -08:00 committed by GitHub
parent e73fbbacbb
commit 2746c698e3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.github/dependabot.yml vendored
View file

@ -12,6 +12,11 @@ updates:
update-types:
- "version-update:semver-minor"
- "version-update:semver-patch"
cooldown:
# https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
# Cooldowns protect against supply chain attacks by avoiding the
# highest-risk window immediately after new releases.
default-days: 14
- package-ecosystem: "pip"
directory: "/Tools/"
schedule:
@ -19,3 +24,5 @@ updates:
labels:
- "skip issue"
- "skip news"
cooldown:
default-days: 14