chore(deps): use uv ecosystem and add cooldown for supply-chain hardening#917
Merged
Conversation
…ning Two changes to the Dependabot config: 1. Switch `package-ecosystem` from `pip` to `uv` (both Python blocks). Dependabot has a dedicated `uv` ecosystem for projects with `uv.lock`. Previously `pip` worked as the umbrella fallback, but `uv` is the canonical value per Astral's docs: https://docs.astral.sh/uv/guides/integration/dependabot/ 2. Add `cooldown` blocks to all three ecosystems. Brand-new releases wait a few days before Dependabot proposes a bump, giving the community time to surface malicious or broken releases. Cooldown is the main defence against supply-chain attacks like: - xz-utils 2024 (malicious release caught within days of publication) - tj-actions/changed-files March 2025 (compromised action detected fast by the community) Values: 2 days patch / 5 days minor / 7 days major / 3 days default. Security updates bypass cooldown entirely so CVE fixes are never delayed. The cooldown applies only to non-security version-updates. Signed-off-by: Egor Dmitriev <egor.dmitriev@alliander.com>
bartpleiter
previously approved these changes
May 27, 2026
Collaborator
bartpleiter
left a comment
bartpleiter
left a comment
There was a problem hiding this comment.
Approved, but please look at the two comments first.
- Trim header to three terse bullets describing mechanics. - Collapse blocks 1 and 2 into a single uv block scanning all workspace directories. The previous split existed only to route docs/examples deps (which list sphinx/jupyter under project.dependencies) into a separate "tooling" group. With the runtime/dev split removed (see below), that justification no longer applies. - Merge python-runtime and python-dev groups into a single python-versions group. Cooldown already throttles routine bumps, so the production/development distinction wasn't earning its complexity. - Drop inline explainers that described Dependabot's general behaviour rather than this config's choices. - Drop prefix-development (never fires with grouping), explicit patterns: ["*"] (default catches all), and the chore(deps-docs) prefix divergence. Signed-off-by: Egor Dmitriev <egor.dmitriev@alliander.com>
Dependabot requires every group to declare at least one filter
(patterns, applies-to, dependency-type, or update-types). Empty `{}`
fails validation. Restore the explicit catch-all pattern.
Signed-off-by: Egor Dmitriev <egor.dmitriev@alliander.com>
…ions The github-actions ecosystem does not version by semver, so Dependabot rejects semver-patch/minor/major-days. Only default-days is supported there. Signed-off-by: Egor Dmitriev <egor.dmitriev@alliander.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #913. Two related changes to the Dependabot config:
1. Switch
package-ecosystemfrompiptouvDependabot has a dedicated
uvecosystem for projects withuv.lockfiles. The previous config usedpip(the umbrella Python ecosystem), which worked as a fallback but isn't the canonical value.Per Astral's docs: https://docs.astral.sh/uv/guides/integration/dependabot/
2. Add
cooldownblocks for supply-chain hardeningBrand-new releases now wait a few days before Dependabot proposes a bump, giving the community time to surface malicious or broken releases.
This is the main defence against supply-chain attacks like:
Cooldown values applied to all three ecosystems (uv published, uv tooling, github-actions):
Important: security updates bypass cooldown
Per GitHub docs: "The
cooldownoption is only available for version updates, not security updates."So CVE patches still land within ~24h on the daily cadence. Cooldown only delays routine version bumps.
Test plan