Skip to content

security: Delay dependabot updates#343

Open
afsmeira wants to merge 1 commit intomasterfrom
am/delay-dependabot-updates
Open

security: Delay dependabot updates#343
afsmeira wants to merge 1 commit intomasterfrom
am/delay-dependabot-updates

Conversation

@afsmeira
Copy link
Copy Markdown

@afsmeira afsmeira commented Apr 30, 2026

7 days should be enough when most malicious packages are patched within 24 hours.

@afsmeira
security: Delay dependabot updates
3d3f8fc 
7 days should be enough when most malicious packages are patched within 24 hours.
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 30, 2026

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes.

codacy-production[bot]
codacy-production Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

@codacy-production codacy-production Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

The proposed changes attempt to introduce a 7-day delay for Dependabot updates using a cooldown property. However, this property is not supported by the GitHub Dependabot schema (v2).

Critical Blocker

Implementing this change will cause the Dependabot configuration to fail validation, effectively disabling updates for the Composer ecosystem instead of delaying them. Since the primary acceptance criterion—a 7-day delay—cannot be met via this configuration key, this PR should not be merged in its current state. You may need to explore alternative solutions such as custom GitHub Actions to filter pull requests by age.

About this PR

  • The objective of delaying updates by 7 days cannot be achieved using the dependabot.yml configuration. GitHub does not currently provide a native 'cooldown' or 'delay' mechanism. Using unsupported keys will result in a configuration error.

Test suggestions

  • Verify that the Dependabot configuration is valid and successfully implements a 7-day delay for updates.
Prompt proposal for missing tests 
Consider implementing these tests if applicable:
1. Verify that the Dependabot configuration is valid and successfully implements a 7-day delay for updates.

TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback

Comment thread .github/dependabot.yml
Comment on lines +12 to +13
cooldown:
default-days: 7
Copy link
Copy Markdown

@codacy-production codacy-production Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

The cooldown property is not a valid GitHub Dependabot configuration option. Including unsupported keys will cause the configuration to fail validation, which prevents the service from running for the Composer ecosystem. Dependabot does not currently offer a native 'delay' or 'cooldown' feature via YAML. To achieve this behavior, you would typically need to use a custom GitHub Action to manage the lifecycle of the PRs created by Dependabot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@afsmeira