Conversation
7 days should be enough when most malicious packages are patched within 24 hours.
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
The implementation uses a non-existent configuration property (cooldown) in .github/dependabot.yml. GitHub Dependabot does not currently support a native 'minimum release age' or delay feature. As a result, this PR will not achieve the goal of delaying npm updates by 7 days and will likely result in a configuration error.
To achieve this security requirement, consider using a third-party tool like Renovate Bot, which supports the minimumReleaseAge property, or implementing a custom GitHub Action to manage the lifecycle of Dependabot PRs based on the package release date.
About this PR
- The attempt to delay updates via a
cooldownproperty is fundamentally incompatible with GitHub Dependabot's current feature set. The configuration will either be ignored or cause the Dependabot service to fail for this repository.
Test suggestions
- Verify dependabot.yml syntax against the official GitHub Dependabot schema.
- Confirm that a new npm package version released less than 7 days ago does not trigger a PR.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify dependabot.yml syntax against the official GitHub Dependabot schema.
2. Confirm that a new npm package version released less than 7 days ago does not trigger a PR.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
🔴 HIGH RISK
The cooldown property is not a valid GitHub Dependabot configuration option. Including it will result in configuration parsing errors or the setting being silently ignored, meaning the 7-day delay requirement will not be met.
Dependabot does not have a native feature to wait for a specific number of days after a package release. If this security delay is required, consider alternative approaches:
- Migrating to Renovate Bot, which supports
minimumReleaseAge. - Implementing a GitHub Action to auto-merge or approve Dependabot PRs only after a specific delay.
You can verify the official schema requirements in the GitHub documentation or by using an IDE-based YAML validator.
1 participant
7 days should be enough when most malicious packages are patched within 24 hours.