Skip to content

feat(deps): add 7-day dependency cooldown for supply chain safety#122

Open
rlorenzo wants to merge 1 commit intoupgrade/lts-dotnet10-node24from
dependency-cooldown
Open

feat(deps): add 7-day dependency cooldown for supply chain safety#122
rlorenzo wants to merge 1 commit intoupgrade/lts-dotnet10-node24from
dependency-cooldown

Conversation

@rlorenzo
Copy link
Copy Markdown
Contributor

@rlorenzo rlorenzo commented Mar 26, 2026

  • Dependabot: weekly Monday checks with 7d cooldown (14d for majors) across nuget, npm, and github-actions ecosystems
  • npm: pin 11.12.0 via Volta and set min-release-age=604800 in .npmrc

@rlorenzo
feat(deps): add 7-day dependency cooldown for supply chain safety
aabaac5 
- Dependabot: weekly Monday checks with 7d cooldown (14d for majors)
  across nuget, npm, and github-actions ecosystems
- npm: pin 11.12.0 via Volta and set min-release-age=604800 in .npmrc
Copilot AI review requested due to automatic review settings March 26, 2026 18:51
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds dependency “cooldown”/minimum-age controls to reduce exposure to newly-published supply-chain compromises, and pins npm via Volta for more reproducible tooling.

Changes:

  • Add Dependabot configuration for NuGet, npm (root + VueApp), and GitHub Actions with weekly scheduling and cooldown windows.
  • Pin npm@11.12.0 via Volta in the root package.json.
  • Add .npmrc with min-release-age=604800 (7 days).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
package.json Pins npm via Volta at the repo root to standardize tooling.
.npmrc Introduces a minimum release age setting intended to delay adoption of fresh releases.
.github/dependabot.yml Configures Dependabot updates across ecosystems with grouping and cooldown periods.

package.json
Comment on lines +55 to +56
"node": "24.14.0",
"npm": "11.12.0"
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The repo has a separate VueApp/package.json with its own volta section (pins Node only). Volta resolves tool versions from the nearest package.json, so running commands from VueApp/ may use an unpinned npm version even though the root pins npm here. Consider also pinning npm in VueApp/package.json (or removing the nested Volta config so it inherits from the root) to keep npm consistent across the repo and avoid lockfile-version churn.

Suggested change
"node": "24.14.0",
"npm": "11.12.0"
"node": "24.14.0"

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rlorenzo