Feature request: dependabot proposed updates that are at least X days old

[ffissore]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

Other

Body

Given:

• the surge in supply chain attacks in recents months
• that these attacks all rely on publishing newer versions of packages
• that even if you are pinning your dependencies, an unlucky dependabot PR happening at the right time may still inject malicious updates
• that, at least so far, supply chain attacks have been discovered and fixed in a matter of hours or days

it would be nice if dependabot had an option to provide updates ONLY if they are older than a certain amount of days.

Supply chain attacks come in as waves: a package is affected, some project gets infected, the attack is discovered, the malicious version removed, things get back to normal.
By making dependabot wait for, say, 2 days or 1 week before it provides a certain update, we'll have higher chances the attack is discovered and fixed.

[ffissore]

Oh there is: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-

[itxashancode]

[queenofcorgis]

@itxashancode

We’ve clarified our stance on using generative AI tools like ChatGPT within our Community via this announcement. Please review the guidelines to ensure your post meets them as failure to adhere to those rules can result in action taken by our moderator team.  You can read our updated Code of Conduct and the announcement for more details. Thank you for helping us maintain an authentic and beneficial space for everyone.