By default, Dependabot does not perform any cooldown on dependency updates.
In other words, a regularly scheduled Dependabot run may perform an update
on a dependency that was just released moments before the run began.
This presents both stability and supply-chain security risks.
To mitigate these risks, explicitly set Dependabot cooldown period to 7 days.
Link: https://docs.zizmor.sh/audits/#dependabot-cooldown
- "*"
exclude-patterns:
- "systemd/mkosi"
+ cooldown:
+ default-days: 7
open-pull-requests-limit: 2
- package-ecosystem: "pip"
directory: "/.github/workflows"
schedule:
interval: "monthly"
+ cooldown:
+ default-days: 7
open-pull-requests-limit: 2
- package-ecosystem: "docker"
directory: "/.clusterfuzzlite"
schedule:
interval: "monthly"
+ cooldown:
+ default-days: 7
open-pull-requests-limit: 2