There have been many supply chain attacks recently involving compromised dependencies. E.g. the recent axios attack (this video does a nice job explaining that situation).
In general, good security practices for dependencies state that you shouldn't update your dependencies instantly - having a buffer period of something like 7 days allows the community to audit packages for malicious behaviour.
Proposal
Set the minimumReleaseAge config option in Renovate.. Additionally, they also recommend setting that in your package manager for transitive dependencies and for lockfiles. pip does not have support for such a thing, but uv does via the exclude-newer flag .
It's unlikely that our users would be affected by security bugs mostly because our release cycle is rather long. This change would benefit anyone developing for the library, because we would be pulling in the latest changes from master.
What do you think, is this a reasonable thing to do or is it rather aggressive?
There have been many supply chain attacks recently involving compromised dependencies. E.g. the recent axios attack (this video does a nice job explaining that situation).
In general, good security practices for dependencies state that you shouldn't update your dependencies instantly - having a buffer period of something like 7 days allows the community to audit packages for malicious behaviour.
Proposal
Set the
minimumReleaseAgeconfig option in Renovate.. Additionally, they also recommend setting that in your package manager for transitive dependencies and for lockfiles.pipdoes not have support for such a thing, butuvdoes via theexclude-newerflag .It's unlikely that our users would be affected by security bugs mostly because our release cycle is rather long. This change would benefit anyone developing for the library, because we would be pulling in the latest changes from master.
What do you think, is this a reasonable thing to do or is it rather aggressive?