[Перевод] Пакетным менеджерам пора ввести период охлаждения

Когда злоумышленник получает доступ к учетной записи мейнтейнера или захватывает заброшенный пакет, вредоносная версия может разойтись по тысячам проектов быстрее, чем ее успеют заметить. Один из способов снизить риск — ввести период охлаждения для зависимостей: не устанавливать новую версию пакета сразу после публикации, а ждать несколько дней, пока сообщество и вендоры безопасности успеют отреагировать. Публикуем перевод статьи Эндрю Несбитта о dependency cooldown и о том, как этот подход реализуют разные пакетные менеджеры и инструменты обновления зависимостей: npm, pnpm, Yarn, Bun, Deno, pip, uv, Poetry, Bundler, Cargo, Dependabot, Renovate и другие. Отдельно в материале рассматриваются различия между относительными интервалами и абсолютными датами, проблемы временных меток, исключения для обновлений безопасности и ограничения подхода в разных экосистемах.

https://habr.com/ru/companies/codescoring/articles/1044132/

#пакетные_менеджеры #зависимости #supply_chain_security #open_source #npm #PyPI #RubyGems #Dependabot #Renovate #dependency_cooldown

Keeping your project dependencies up-to-date can be a pain! 😩 This short shows how Dependabot can automate those updates for you – a Boto3 SDK example. Less hassle, more secure code. Check it out! 💻 #Dependabot #Automation #DevOps

https://www.youtube.com/watch?v=SeyepTlwtKs

Steel for Vulnerabilities, Silver for Zombies: Hunting Java's Unseen Monsters

https://video.ut0pia.org/w/stJbfBB5MiqPAMKTW1AkEx

RE: https://mastodon.social/@hugovk/116399324188897230

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security.

But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security.

I posted about this on the three social networks, someone tagged @www.jvt.me and soon after Renovate now supports this! 🎉

Here's his writeup into the world of #GitHubActions tags:
https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

Good   

#opensource #pullrequest #GitHub #Dependabot

Claude를 활용한 Dependabot PR 리뷰 자동화: 지루한 의존성 관리 해결하기

Dependabot이 생성하는 수많은 PR을 일일이 검토하는 번거로움을 해결하기 위해 Claude의 'skill' 기능을 활용한 자동 리뷰 도구를 개발했다.

🔗 원문 보기

After my recent playing around with #Copilot, I thought I'd take a look at my Github billing report to see how much I'd used. I have, this month, used US$5.80 worth of Copilot ... and US$870 of actions.

Most of those computrons got burned when #Dependabot pushed branches and then when it created pull requests so that it could whine at me about point releases of stuff like #CrossPlatformActions (https://github.com/cross-platform-actions/action).

1/n

🚨 TeamPCP hijacks Bitwarden CLI in supply chain attack, abusing GitHub Dependabot to deploy Shai-Hulud malware and steal developer secrets, poison AI coding tools.

Read: https://hackread.com/teampcp-bitwarden-cli-dependabot-shai-hulud-malware/

#CyberSecurity #TeamPCP #Malware #Bitwarden #GitHub #Dependabot

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Dependabot-Core: 자동 의존성 업데이트를 위한 핵심 라이브러리 분석

Dependabot-Core는 GitHub의 자동 의존성 업데이트 기능을 구동하는 핵심 Ruby 라이브러리로, 다양한 언어와 패키지 매니저의 업데이트 로직을 포함한다.

🔗 원문 보기