asf-tooling commented on issue #1142:
URL:
https://github.com/apache/tooling-trusted-releases/issues/1142#issuecomment-4409773628
<!-- gofannon-issue-triage-bot v2 -->
**Automated triage** — analyzed at `main@2da7807a`
**Type:** `new_feature` • **Classification:** `no_action` •
**Confidence:** `high`
**Application domain(s):** `distribution_tracking`
### Summary
This issue requests adding a 14-day cooldown for npm packages in the
repository's Dependabot configuration (.github/dependabot.yml) to prevent
supply chain attacks from newly-published compromised packages (which caused
#1141). However, @sbp identified that an upstream Dependabot bug
(dependabot/dependabot-core#14683) prevents cooldowns from being applied to
transitive npm dependencies, and explicitly stated this issue is blocking on
that upstream fix. No action can be taken on this issue until the upstream bug
is resolved.
### Where new code would go
- `.github/dependabot.yml` — existing file - npm ecosystem section
The Dependabot configuration file is where the cooldown setting would be
added for the npm package ecosystem. This file is not in the provided source
inventory but is a standard GitHub repository configuration file.
### Proposed approach
Once the upstream Dependabot bug (dependabot/dependabot-core#14683) is
fixed, the `.github/dependabot.yml` file should be updated to add a `cooldown`
configuration under the npm package ecosystem update entry, setting it to 14
days. Per the Dependabot documentation cited by @sbp, the cooldown value must
be between 1 and 90 days.
However, since @sbp explicitly stated this issue is 'blocking on that'
upstream bug, no change should be made until the upstream fix is released and
confirmed working for transitive npm dependencies. The team should monitor
https://github.com/dependabot/dependabot-core/issues/14683 for resolution.
### Open questions
- When will the upstream Dependabot bug (dependabot/dependabot-core#14683)
be fixed?
- What does the current .github/dependabot.yml look like? (Not provided in
the file inventory)
- Should a workaround be applied in the interim (e.g., switching npm updates
to monthly schedule) as @dave2wave suggested, or wait for the proper cooldown
fix?
_The agent reviewed this issue and is not proposing patches in this run.
Review the existing-code citations and open questions above before deciding
next steps._
### Files examined
- `atr/tasks/distribution.py`
- `atr/storage/writers/distributions.py`
- `atr/shared/distribution.py`
---
*Draft from a triage agent. A human reviewer should validate before merging
any change. The agent did not run tests or verify diffs apply.*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
