chore(dependabot): add 3-day cooldown for supply-chain safety#287
Conversation
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request attempts to add a cooldown configuration to Dependabot updates for both github-actions and gradle ecosystems. However, as pointed out in the review, the cooldown option is not supported by the official Dependabot schema and will cause syntax errors, preventing Dependabot from running. These invalid configuration blocks should be removed.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
Dependabot の version update PR 作成に 3日間の cooldown を追加し、依存関係の新規公開直後の取り込みを遅延させることで、サプライチェーン攻撃リスクの低減を図る PR です。
Changes:
github-actionsとgradleの各updatesエントリにcooldown.default-days: 3を追加し、新規リリース後 3 日経過するまで更新 PR を作成しないよう設定
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
概要
サプライチェーン攻撃のリスク低減のため、Dependabot に 3日間の cooldown を設定します。新しく公開された依存バージョンへの更新 PR を 3 日間遅延させ、公開直後の悪意あるバージョンを取り込みにくくします。
変更内容
updatesエントリにcooldown.default-days: 3を追加🤖 Generated with Claude Code