https://github.com/python/cpython/commit/2746c698e33fabd2eb886b0994141b29f14f1d91 commit: 2746c698e33fabd2eb886b0994141b29f14f1d91 branch: main author: Gregory P. Smith <[email protected]> committer: gpshead <[email protected]> date: 2025-11-23T01:34:48-08:00 summary:
[security] Add a cooldown period to dependabot (GH-141866) See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns and the description in the comment. files: M .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c8a3165d690364..7f3376f8ddb1e2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,11 @@ updates: update-types: - "version-update:semver-minor" - "version-update:semver-patch" + cooldown: + # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns + # Cooldowns protect against supply chain attacks by avoiding the + # highest-risk window immediately after new releases. + default-days: 14 - package-ecosystem: "pip" directory: "/Tools/" schedule: @@ -19,3 +24,5 @@ updates: labels: - "skip issue" - "skip news" + cooldown: + default-days: 14 _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
