Security vulnerabilities and automated fixes for dependabot issues
3 posts found
A high-severity supply chain vulnerability was discovered in a `.github/dependabot.yml` configuration that lacked a cooldown period, meaning Dependabot could immediately propose updates to newly published (and potentially malicious) package versions. The fix adds a `cooldown` block with `default-days: 7` to enforce a 7-day waiting period before suggesting updates, giving the community time to detect and flag compromised packages.
A high-severity supply chain vulnerability was discovered in a Dependabot configuration file that lacked cooldown periods for package updates. Without cooldown settings, Dependabot could propose updates to newly published—and potentially malicious—packages immediately after release. The fix adds a 7-day cooldown period to all three package ecosystems (npm, GitHub Actions, and Maven), giving the community time to identify compromised packages before they're automatically proposed.
A high-severity supply chain vulnerability was discovered in a `.github/dependabot.yml` configuration file that lacked a cooldown period for package updates. Without a cooldown, Dependabot could immediately propose updates to newly published—and potentially malicious—package versions. The fix adds a 7-day `cooldown` block to both the npm and github-actions ecosystem entries, giving the community time to identify and flag compromised packages before they're adopted.