Conversation
7 days should be enough when most malicious packages are patched within 24 hours.
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR cannot be merged in its current state as it introduces an invalid configuration key, cooldown, which is not supported by the GitHub Dependabot schema. Adding unrecognized keys will cause Dependabot to fail to parse the file, potentially disabling dependency updates entirely for this repository.
While the goal of delaying updates for security reasons is valid, Dependabot does not natively support a version-age or cooldown feature. To achieve the intended 7-day delay, you would need to use a different tool like Renovate with stabilityDays or reduce the update frequency to weekly to minimize the noise of immediate releases.
About this PR
- The proposed configuration change will not achieve the desired outcome because GitHub Dependabot lacks a native feature to delay updates based on release age. Implementing this would require external workflow logic or switching to a dependency manager with built-in stability delays.
Test suggestions
- Verify that Dependabot correctly parses the configuration without schema errors.
- Confirm that updates are only proposed for versions that have been released for at least 7 days.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that Dependabot correctly parses the configuration without schema errors.
2. Confirm that updates are only proposed for versions that have been released for at least 7 days.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
🔴 HIGH RISK
The cooldown property is not a valid GitHub Dependabot configuration option. Including unsupported keys will cause a schema validation error, which may lead Dependabot to ignore the configuration file entirely or report a syntax error in the repository's Security tab. If the intent is to delay updates until they reach a certain age to avoid malicious or buggy releases, Dependabot does not currently support this feature. Consider changing the interval to weekly to reduce frequency, or evaluate using Renovate which supports a stabilityDays option.
1 participant
7 days should be enough when most malicious packages are patched within 24 hours.