chore(dependabot): group security & supply chain attack hardening#2850
chore(dependabot): group security & supply chain attack hardening#2850CorieW wants to merge 4 commits into
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Dependabot configuration to introduce specific grouping rules for version and security updates. The reviewer provided feedback regarding the naming of these new groups, noting that 'version-minor-and-patch-by-dependency' is misleading since it groups all dependencies together, and 'security-minor-and-patch' is inconsistent because it includes major updates.
|
An easy supply chain attack hardening win for npm ecosystem is to enable dependabot "cooldown" parameters in concert with package manager config change to disallow packages younger than X days (eg 3) |
ooh good point |
CorieW
changed the title
3 participants
This pull request updates the
.github/dependabot.ymlconfiguration to improve how dependency updates are grouped, labeled, and managed. The changes refine update grouping for both regular and security updates, add commit message customization, and clarify ignored update types.Dependabot configuration improvements:
version-minor-and-patch-by-dependencyfor regular updates andsecurity-minor-and-patchfor security updates, with more precise control over which update types are included in each group.cooldownhelps avoid vulnerable package releases, as seen recently with the Mini Shai-Hulud worm stuff. These types of releases are often detected very early, so this property should massively aid in avoiding this problem.