Conversation
7 days should be enough when most malicious packages are patched within 24 hours.
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR attempts to implement a 7-day delay for Dependabot updates to mitigate risks from malicious packages. However, it uses an invalid configuration key cooldown (and potentially default-days) which is not supported by the GitHub Dependabot v2 schema.
As a result, the configuration will likely be ignored or cause a parsing error in GitHub Actions, leaving the repository without the intended protection. Since the acceptance criteria require a functional delay, this PR should not be merged in its current state. You may need to consider alternative strategies such as switching to a weekly schedule to limit update frequency or using third-party tools like Renovate that support minimum release age filters.
About this PR
- The proposed configuration changes use unsupported YAML keys. There is no linked Jira ticket to verify if this specific approach was previously vetted or if there was a misunderstanding of Dependabot's capabilities.
Test suggestions
- Validate .github/dependabot.yml against the official GitHub Dependabot schema.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Validate .github/dependabot.yml against the official GitHub Dependabot schema.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
1 participant
7 days should be enough when most malicious packages are patched within 24 hours.