Skip to content

chore: Add Dependabot version-update cooldown#37

Open
ld-repository-standards[bot] wants to merge 1 commit into
mainfrom
ld-github-standards/add-dependabot-cooldown
Open

chore: Add Dependabot version-update cooldown#37
ld-repository-standards[bot] wants to merge 1 commit into
mainfrom
ld-github-standards/add-dependabot-cooldown

Conversation

@ld-repository-standards

@ld-repository-standards ld-repository-standards Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This pull request was auto generated by the LaunchDarkly Github Standards automation platform.

  • Ensure every entry under updates in .github/dependabot.yml declares a cooldown of at least 7 days (default-days).
  • Add entries for detected package ecosystems that were not yet tracked by Dependabot.

Cooldown applies only to version updates; security updates bypass it, so critical CVE fixes are never delayed.

Ref: SEC-8058.


Note

Low Risk
Only .github/dependabot.yml changes dependency-bot scheduling; no runtime or security-sensitive application code is touched.

Overview
Extends Dependabot so the repo’s /app Gradle project gets its own weekly update job, alongside the existing root Gradle config.

Each updates entry in .github/dependabot.yml is aligned with a 7-day cooldown.default-days on version bumps (security updates still ignore cooldown). This matches the SEC-8058 automation goal of spacing routine dependency PRs without slowing CVE fixes.

Reviewed by Cursor Bugbot for commit 6e18eea. Bugbot is set up for automated code reviews on this repo. Configure here.

@ld-repository-standards ld-repository-standards Bot requested review from a team July 2, 2026 06:12
@ld-repository-standards ld-repository-standards Bot requested a review from a team as a code owner July 2, 2026 06:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants