Skip to content

chore(deps): add 7-day cooldown period to dependabot#10616

Merged
jasonsaayman merged 2 commits into
axios:v1.xfrom
shaanmajid:dependabot-cooldown
Apr 1, 2026
Merged

chore(deps): add 7-day cooldown period to dependabot#10616
jasonsaayman merged 2 commits into
axios:v1.xfrom
shaanmajid:dependabot-cooldown

Conversation

@shaanmajid
Copy link
Copy Markdown
Contributor

@shaanmajid shaanmajid commented Mar 31, 2026
edited by cubic-dev-ai Bot
Loading

Summary

  • Add 7-day cooldown to Dependabot version updates for both github-actions and npm ecosystems
  • Delays auto-upgrade PRs for newly published versions, giving the community time to flag compromised releases (such as the one axios unfortunately recently experienced)
  • Security updates (via Dependabot security advisories) are unaffected if configured, and still fire immediately
  • See We should all be using dependency cooldowns for a thorough explanation of benefits

Summary by cubic

Adds a 7-day cooldown to Dependabot version updates for github-actions and npm to slow down auto-upgrades and reduce supply-chain risk. Security advisories still open immediately.

Description

  • Summary of changes
    • Set cooldown.default-days: 7 for github-actions and npm in .github/dependabot.yml.
    • Kept weekly schedule and existing labels.
  • Reasoning
    • Avoids pulling in freshly published, potentially compromised releases.
  • Additional context
    • Synced with latest v1.x; no behavior changes.
    • Security advisory PRs bypass the cooldown.

Docs

No docs changes. This only affects Dependabot timing:

  • Version update PRs delay by 7 days.
  • Security advisories remain immediate.

Testing

No code or tests changed. Tests are not needed for this config-only update.

  • Post-merge, verify Dependabot logs show version updates deferred by 7 days.

Written for commit 1845898. Summary will update on new commits.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

jasonsaayman
jasonsaayman approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks great addition

@jasonsaayman jasonsaayman added priority::high A high priority issue commit::ci The PR is related to CI type::security The PR is a secuirty related changed normally from a CVE labels Apr 1, 2026
@jasonsaayman jasonsaayman merged commit a588181 into axios:v1.x Apr 1, 2026
20 of 21 checks passed
@shaanmajid shaanmajid deleted the dependabot-cooldown branch April 1, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jasonsaayman jasonsaayman jasonsaayman approved these changes

Assignees

@shaanmajid shaanmajid

Labels

commit::ci The PR is related to CI priority::high A high priority issue type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shaanmajid @jasonsaayman