Skip to content

SEC: add a 7 days cooldown period to dependabot settings#2766

Merged
joerick merged 1 commit intopypa:mainfrom
neutrinoceros:sec/cooldown
Mar 12, 2026
Merged

SEC: add a 7 days cooldown period to dependabot settings#2766
joerick merged 1 commit intopypa:mainfrom
neutrinoceros:sec/cooldown

Conversation

@neutrinoceros
Copy link
Contributor

@neutrinoceros neutrinoceros commented Mar 11, 2026

No description provided.

@neutrinoceros neutrinoceros mentioned this pull request Mar 11, 2026
Open
@neutrinoceros neutrinoceros changed the title SEC: add a 7 deys cooldown period to dependabot settings SEC: add a 7 days cooldown period to dependabot settings Mar 11, 2026
agriyakhetarpal
agriyakhetarpal approved these changes Mar 11, 2026
View reviewed changes
Copy link
Member

@agriyakhetarpal agriyakhetarpal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @neutrinoceros! This looks like a fine one to me, WDYT @henryiii?

@agriyakhetarpal
Copy link
Member

agriyakhetarpal commented Mar 11, 2026

@joerick should we consider adding a 7-day cooldown to our update_constraints dependency updates too?

@agriyakhetarpal agriyakhetarpal requested a review from joerick March 11, 2026 12:02
@neutrinoceros neutrinoceros marked this pull request as ready for review March 11, 2026 12:08
@henryiii
Copy link
Contributor

henryiii commented Mar 11, 2026

This also keeps us from getting security updates for a week if vulnerabilities are found, so I'm neutral. For our constraints, we already have a delay in releasing updates, so I don't think so.

@agriyakhetarpal
Copy link
Member

agriyakhetarpal commented Mar 11, 2026

Yeah, we have leaned on not pinning actions up till now; we have had moving tags and thus wouldn't benefit much from cooldowns. The currently pinned action is actions/setup-python, which, in my opinion, would benefit from a cooldown because it prevents us from updating too quickly and releasing a broken release if setup-python's functionality is found to be broken in their new release. I am +0.5 on this, which is the reason for my approval. That said, I hope GitHub is taking the security of that action seriously enough.

@henryiii
Copy link
Contributor

henryiii commented Mar 11, 2026

The things we are mostly likely to be broken on with setup-python is python-versions and the runner, both of which we can't pin. Partially pinning on top of a moving environment isn't helpful, IMO, since you might need fixes for that moving environment, and you are not protected against breakages by just partially pinning.

@joerick
Copy link
Contributor

joerick commented Mar 12, 2026

Just a gut feeling, but I reckon a 7 day cooldown on dependabot is probably net-net a slight positive.

@joerick
Copy link
Contributor

joerick commented Mar 12, 2026

That is, the security advantages probably tip the scales to positive. I agree that the stability pros/cons is a mixed bag!

@joerick joerick merged commit 42c5020 into pypa:main Mar 12, 2026
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joerick joerick joerick approved these changes

@henryiii henryiii henryiii approved these changes

@agriyakhetarpal agriyakhetarpal agriyakhetarpal approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@neutrinoceros @agriyakhetarpal @henryiii @joerick