Skip to content

Set Dependabot cooldown period #221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 31, 2025
Merged

Set Dependabot cooldown period #221

merged 1 commit into from
Oct 31, 2025

Conversation

@oschwald
Copy link
Member

This PR sets the Dependabot cooldown period to 4 days for all package ecosystems.

Context

This addresses zizmor findings that flag missing or insufficient cooldown configuration in dependabot.yml files. The zizmor security tool requires a minimum cooldown of 4 days to avoid potential security issues with rapid dependency updates.

Changes

  • Added/updated cooldown configuration with default-days: 4 for all package ecosystems in .github/dependabot.yml

References

@oschwald
Set Dependabot cooldown period to 4 days
ae1a4cc 
This addresses the zizmor findings by setting a cooldown period of 4 days
for all package ecosystems in dependabot.yml.

Related to: ENG-3236
@mm-kevcenteno mm-kevcenteno merged commit 75f834a into main Oct 31, 2025
72 checks passed
@mm-kevcenteno mm-kevcenteno deleted the greg/eng-3236 branch October 31, 2025 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mm-kevcenteno mm-kevcenteno mm-kevcenteno approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oschwald @mm-kevcenteno