security: Delay dependabot updates#24
Conversation
7 days should be enough when most malicious packages are patched within 24 hours.
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR attempts to implement a security cooldown period for Dependabot updates to mitigate risks from malicious package releases. However, the implementation is fundamentally flawed as the cooldown key is not a supported property in the GitHub Dependabot v2 configuration schema.
While Codacy reports that the PR is 'up to standards', this is a false positive in the context of the PR's intent; adding unsupported keys will cause the configuration to be ignored or result in a parsing error by GitHub. Because the proposed changes do not achieve the acceptance criteria for either GitHub Actions or Pip ecosystems, this PR should not be merged in its current state.
About this PR
- The PR title and description suggest a security feature that is not natively supported by Dependabot. Without a JIRA ticket or requirement source, it is difficult to determine if this approach was recommended by a specific security policy or if it was an experimental attempt.
Test suggestions
- Validate that the .github/dependabot.yml schema is valid and accepted by GitHub.
- Verify that package updates are actually delayed by 7 days after the configuration change.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Validate that the .github/dependabot.yml schema is valid and accepted by GitHub.
2. Verify that package updates are actually delayed by 7 days after the configuration change.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
3 participants
7 days should be enough when most malicious packages are patched within 24 hours.