renovate will reputedly check dependencies in <script> tags (at least for some CDNs); something that the dependabot simply does not do:

https://github.com/dependabot/dependabot-core/issues/3228
https://docs.renovatebot.com/modules/manager/html/

#github #renovate

[Перевод] Пакетным менеджерам пора ввести период охлаждения

Когда злоумышленник получает доступ к учетной записи мейнтейнера или захватывает заброшенный пакет, вредоносная версия может разойтись по тысячам проектов быстрее, чем ее успеют заметить. Один из способов снизить риск — ввести период охлаждения для зависимостей: не устанавливать новую версию пакета сразу после публикации, а ждать несколько дней, пока сообщество и вендоры безопасности успеют отреагировать. Публикуем перевод статьи Эндрю Несбитта о dependency cooldown и о том, как этот подход реализуют разные пакетные менеджеры и инструменты обновления зависимостей: npm, pnpm, Yarn, Bun, Deno, pip, uv, Poetry, Bundler, Cargo, Dependabot, Renovate и другие. Отдельно в материале рассматриваются различия между относительными интервалами и абсолютными датами, проблемы временных меток, исключения для обновлений безопасности и ограничения подхода в разных экосистемах.

https://habr.com/ru/companies/codescoring/articles/1044132/

#пакетные_менеджеры #зависимости #supply_chain_security #open_source #npm #PyPI #RubyGems #Dependabot #Renovate #dependency_cooldown

RE: https://mastodon.social/@hugovk/116399324188897230

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security.

But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security.

I posted about this on the three social networks, someone tagged @www.jvt.me and soon after Renovate now supports this! 🎉

Here's his writeup into the world of #GitHubActions tags:
https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

Configuring Renovate to only suggest updates that match your go directive.

https://fed.brid.gy/r/https://www.jvt.me/posts/2026/05/02/renovate-only-go-directive/

I'm on Fallthrough: No Country for Old Maintainers

https://fed.brid.gy/r/https://www.jvt.me/posts/2026/04/25/fallthrough-supply-chain/

A deep dive into the wild world of GitHub Actions' tagging formats

https://fed.brid.gy/r/https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

I'm on Fallthrough: Supply Chain Reaction

https://fed.brid.gy/r/https://www.jvt.me/posts/2026/04/18/fallthrough-supply-chain/

mogenius/renovate-operator: Operator to streamline renovate executions in Kubernetes

"Run Renovate on your own infrastructure with CRD-based scheduling, parallel execution, auto-discovery, and a built-in UI."

Link: https://github.com/mogenius/renovate-operator

#linkdump #dependencies #development #kubernetes #renovate #tool

Do you use astral-sh/setup-uv@v7 in #GitHubActions?

And it's not hash-pinned?

And you use #Dependabot or #Renovate?

The setup-uv project has switched to only Vx.y.z tags, no more Vx or Vx.y.

But Dependabot and Renovate won't upgrade from Vx to Vx.y.z, so you'll need to manually update to [email protected] to keep up with future updates.

"To increase security even more we will stop publishing minor tags. You won't be able to use v8 or v8.0 any longer."

https://github.com/astral-sh/setup-uv/issues/830
#Python #uv

Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:

https://daniakash.com/posts/simplest-supply-chain-defense/

#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios