Supply Chain Attacks and Dependabot
Due to recent supply chain attacks, I am starting to take a much more conservative approach to automatic dependency updates. At minimum, my dependabot.yml files will now have the following configuration:
cooldown:
default-days: 3
The goal is to allow for any compromised supply chain to be repaired, before Dependabot gives me an infected package. This buffer might not even be enough. Seven days might be more appropriate.
Additionally, I am adding dependency auditing wherever it is possible. For instance, with Rust apps we can use cargo-audit as part of a continuous integration pipeline to ensure that no vulnerable packages are included in updates. With PHP apps we can use roave/security-advisories. With NPM we can use the built-in npm audit command.