Support dependency-cooldowns / minimum-artifact-age to mitigate short-lived supply chain attacks #3757
Description
See:
- Dependabot supports configuration of a minimum package age - GitHub Blog, July 2025 - it's now very simple to configure Dependabot with a
cooldowntime period - a feature we don't yet have in Scala Steward - We should all be using dependency cooldowns - yossarian, November 2025 - highlights that the attack-window on many open source supply chain attacks is often only a few days - if an artifact is more than a week old, and has not been flagged by a supply chain security vendor, it is more likely to be safe to apply.
For Scala Steward, this issue is a revisit of a few old issues/PRs:
- Time-based delay configuration for new dependencies #1581 - this issue mentioned 2 connected problems: overly-frequent artifact updates from certain publishers (like the AWS SDK, updating daily with tiny, mostly uninteresting, API updates, causing many "expensive, long-running CI builds"), and the more general desire to avoid artifacts that have been very recently published ("sometimes brand new releases get unintentional breaking changes shipped out")
- Wait until currently used dependencies are sufficiently old before updating them #2322 - this was never completed, and closed in favour of:
- Add granular frequency control by groupId and artifactId #2515 - this allowed users to configure a slower update cadence for overly-frequent publishers like AWS, but just allowed applying the existing
pullRequests.frequencylogic to more specific artifact groups & ids - not changing the fact that sometimes very new dependencies would be promoted.
- Add granular frequency control by groupId and artifactId #2515 - this allowed users to configure a slower update cadence for overly-frequent publishers like AWS, but just allowed applying the existing
Sources of artifact-age data
Unfortunately, Maven does not currently encode a way to tell an artifact's publication date:
https://stackoverflow.com/q/69790966/438886
- Wait until currently used dependencies are sufficiently old before updating them #2322 (comment) - Frank points out that we want an approach that will work for all artifact repositories, not just Maven Central.
Questions
- How do we want to configure this? What should the configuration look like?
GitHub's Dependabot config for comparison
Not implying we'd want to reproduce every option here, just for information:
- https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates#setting-up-a-cooldown-period-for-dependency-updates
- https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
include:
- "requests"
- "numpy"
- "pandas*"
- "django"
exclude:
- "pandas"