From d2b2a9ada53c17d70b59886b6093a2d36d104c3c Mon Sep 17 00:00:00 2001 From: "Dustin J. Mitchell" Date: Sat, 7 Mar 2026 21:09:07 -0500 Subject: [PATCH 1/2] Add cooldown to dependabot This prevents dependabot from proposing an update soon after it is released. This helps avoid buggy updates, and also provides adequate time for "supply chain attacks" to be discovered and yanked. --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6e2bb8297..4930e58da 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,11 @@ updates: # Enable updates for Rust packages - package-ecosystem: "cargo" directory: "/" # Location of package manifests + cooldown: + default-days: 5 + semver-major-days: 30 + semver-minor-days: 7 + semver-patch-days: 3 schedule: interval: "daily" ignore: From bfd9a923435b65e59098224bee41a63a85d9e6a2 Mon Sep 17 00:00:00 2001 From: "Dustin J. Mitchell" Date: Mon, 9 Mar 2026 08:09:18 -0400 Subject: [PATCH 2/2] Group updates into a single PR daily --- .github/dependabot.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4930e58da..57155ea4a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,11 +5,17 @@ updates: directory: "/" schedule: interval: "weekly" + groups: + github-actions: + patterns: ["*"] # Enable version updates for git submodules - package-ecosystem: "gitsubmodule" directory: "/" schedule: interval: "daily" + groups: + submodule: + patterns: ["*"] # Enable updates for Rust packages - package-ecosystem: "cargo" directory: "/" # Location of package manifests @@ -20,9 +26,8 @@ updates: semver-patch-days: 3 schedule: interval: "daily" - ignore: - # skip patch updates, as they can be quite noisy, but keep - # minor and major updates so that we don't fall too far - # behind - - dependency-name: "*" - update-types: ["version-update:semver-patch"] + groups: + cargo: + patterns: ["*"] + # leave major changes in their own PRs + update-types: ["minor", "patch"]