今日已更新 328 条资讯 | 累计 20300 条内容
关于我们

Dependabot's Three-Day Cooldown Needs an Explicit Exception Policy

bestbee 2026年07月16日 12:00 0 次阅读 来源:Dev.to

GitHub announced on July 14, 2026 that Dependabot now waits until a release has been available on its registry for at least three days before opening a version-update pull request. The cooldown is the new default and requires no configuration. Primary source: GitHub Changelog, July 14, 2026 . The product question is not whether three days is universally safer. Waiting may expose a broken or compromised release before adoption, but it can also postpone a needed compatibility fix. Cooldown is a baseline, not a complete dependency policy. Separate normal freshness from security response release -> cooldown -> update PR -> CI -> review -> deploy -> observe A cooldown does not replace lockfiles, CI, provenance checks, staged deployment, or rollback. It should not silently delay an urgent security-update workflow either. Use this decision table before creating exceptions: Package situation Suggested decision Compensating control Routine dev dependency with strong CI Keep default Deterministic tests Runtime package on a critical path Keep or lengthen Canary and fast rollback Identified security remediation Use the dedicated urgent path Security owner and targeted tests Isolated build-only tool Consider shorter Reproducible artifact checks Volatile pre-1.0 package Consider longer Manual release review Internal package released with the app Consider exception Exact-version integration test Parser, auth, crypto, or installer Keep default unless urgency wins Sandbox and abuse fixtures Score the exception Rate each dimension from 1 to 5: blast radius; upstream release volatility; test strength; rollback speed; cost of waiting. Then use two conversation scores: wait_value = blast_radius + release_volatility ship_confidence = test_strength + rollback_speed + cost_of_waiting This is not a statistical risk model. It forces the team to name evidence. Keep the default when scores are close. Consider shortening only when delivery evidence clearly exceeds wait value. Route vulnerabilit

本文内容来源于互联网,版权归原作者所有
查看原文