|
|
|
|
|
|
by eranation
19 days ago
|
|
|
So. Dependabot (and renovate) do have "cooldowns" supported, just need to set them up. For dependabot it's as simple as cooldown.default-days: 1 There are security researchers (that don't have cooldowns) that usually detect compromises within hours or less, and package managers almost always manage to remove the offending versions in less than 24 hours (usually much less). So people will 24 hours cooldowns get protected. Shameless plug: I maintain depsguard.com that tries to simplify cooldowns setup across anything that supports it, in one command (it scans from where you run it, e.g. if you run it from your user folder it will look for any local repos with dependabot / renovate and suggest a change. |
|
|
Most people stick to default of 0. In fact, I am realizing over time that it is best to make it 7-14 days.