We originally discussed this article offline: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
It makes the very valid point that you can avoid all manner of supply chain attacks by just waiting a little bit after your dependencies are updated to actually pull in those updated dependencies.
For renovate, we can configure this easily by adding "minimumReleaseAge": "7 days" under packageRules.
I think we should roll this out in (especially) our highly used/shared repos.
Others?
We originally discussed this article offline: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
It makes the very valid point that you can avoid all manner of supply chain attacks by just waiting a little bit after your dependencies are updated to actually pull in those updated dependencies.
For
renovate, we can configure this easily by adding"minimumReleaseAge": "7 days"underpackageRules.I think we should roll this out in (especially) our highly used/shared repos.
Others?