Skip to content

Add Dependabot Cooldown#610

Merged
skyguy94 merged 1 commit into
mainfrom
security/dependabot-cooldown
May 20, 2026
Merged

Add Dependabot Cooldown#610
skyguy94 merged 1 commit into
mainfrom
security/dependabot-cooldown

Conversation

@skyguy94
Copy link
Copy Markdown
Contributor

@skyguy94 skyguy94 commented May 20, 2026
edited
Loading

Description of Changes

Adds a cooldown: block to each package-ecosystem entry in .github/dependabot.yml. Values follow the CE house style already in use by SecurityAndChangeControl:

Cooldown delays version-update PRs by N days after publish, giving the ecosystem time to detect and yank malicious releases. Same risk applies to the github-actions ecosystem (poisoned third-party action via auto-PR), hence the same block there.

cooldown:
  default-days: 7
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3

Review and manually apply the following workflow permissions:

gh api -X PUT repos/CareEvolution/MyDataHelpsUI/actions/permissions/workflow \
  -F default_workflow_permissions=read \
  -F can_approve_pull_request_reviews=false

Rationale: https://careevolution.slack.com/archives/C0DEKSMFY/p1779275551026199?thread_ts=1779197176.503919&cid=C0DEKSMFY

Issue Link

N/A

Security

  • I have ensured no secure credentials or sensitive information remain in code, metadata, comments, etc.
  • My changes do not introduce any security risks, or any such risks have been properly mitigated.

Defensive change; reduces same-day auto-merge risk for compromised package versions. No new attack surface.

Change Control Board (CCB) Approval

CCB approval is required when the change affects organizational processes (like vulnerability management or disaster recovery), or has the potential to impact availability, security, or privacy. See the CR process for more detailed assessment guidelines.

  • This change does NOT require CCB approval.
  • This change DOES require CCB approval. Tag @careevolution/ccb.

Testing/Validation

N/A

Backout Plan

Describe how we will restore the system to its pre-change state if something goes wrong.

Revert the PR; Dependabot reverts to immediate version-update PRs.

Implementation Notes

Config-only change; no downtime, no operational impact.

Documentation Updates

  • This change has no documentation impact.
  • This change impacts external documentation (API docs, user guides). Tag @careevolution/mdhd-docs or @careevolution/api-docs.
  • This change impacts internal documentation (procedures, security plans, wiki). Tag the owner.

N/A -- internal change to .github/dependabot.yml.

@aws-amplify-us-east-1
Copy link
Copy Markdown

aws-amplify-us-east-1 Bot commented May 20, 2026

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-610.d1xp2kmk6zrv44.amplifyapp.com

@skyguy94 skyguy94 changed the title chore(deps): add Dependabot cooldown to all ecosystems Add Dependabot Cooldown May 20, 2026
@skyguy94 skyguy94 requested review from chrisnowak and greinard May 20, 2026 13:28
@skyguy94 skyguy94 marked this pull request as ready for review May 20, 2026 13:33
@lynnfaraday lynnfaraday mentioned this pull request May 20, 2026
Merged
3 tasks
@skyguy94 skyguy94 merged commit 7df16e6 into main May 20, 2026
9 checks passed
@skyguy94 skyguy94 deleted the security/dependabot-cooldown branch May 20, 2026 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrisnowak chrisnowak chrisnowak approved these changes

@greinard greinard Awaiting requested review from greinard

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skyguy94 @chrisnowak