Dependabot version updates introduce default package cooldown
207 points
• 2 days ago
• Article
Link
GitHub 为 Dependabot 的版本更新引入了默认冷却期,以加强供应链安全。今后,Dependabot 在某个软件包在其注册表发布新版本后,会至少等待三天才为该版本创建 Pull Request 。此更改将在 github.com 上对所有受支持的生态系统默认生效,并计划纳入 GitHub Enterprise Server 3.23 。
此举主要是为了降低供应链攻击风险。新版本有时可能被篡改或不稳定,攻击者常利用发布后短暂的时间窗口注入恶意代码。通过设置短暂的等待期,GitHub 给社区反馈与安全信号留下时间,从而减少开发者在版本刚发布时就不经意合并潜在的恶意或有问题代码的可能性。
需要说明的是,该默认仅适用于普通版本更新,安全更新不受影响,仍会立即开启以确保关键漏洞及时修补。 GitHub 强调这是主动的安全措施,而非限制性做法,用户对工作流仍保有完全控制权。
若团队有不同偏好,可以在 .github/dependabot.yml 配置文件中修改 cooldown 选项来自定义或完全禁用冷却期,便于在提升安全性与满足项目需求或部署节奏之间取得平衡。
GitHub has introduced a new default cooldown for Dependabot version updates to enhance supply chain security. Moving forward, Dependabot will wait at least three days after a new package release becomes available on its registry before creating a pull request for that version update. This change is being implemented by default across all supported ecosystems on github.com and is scheduled to be included in GitHub Enterprise Server version 3.23.
The primary motivation behind this update is to mitigate risks associated with supply chain attacks. New software releases can sometimes be compromised or unstable, and malicious actors often exploit the brief period after a release to inject harmful code. By enforcing a short waiting period, GitHub provides enough time for community feedback and security signals to emerge, which helps ensure that developers do not inadvertently merge potentially malicious or broken code as soon as it is published.
It is important to note that this new default applies exclusively to standard version updates. Security updates remain unaffected and will continue to be opened immediately to ensure that critical vulnerabilities are patched without delay. GitHub emphasizes that this is a proactive security measure rather than a restrictive one, as users retain full control over their workflows.
For teams that prefer a different approach, the cooldown period can be customized or entirely disabled by modifying the cooldown option within the .github/dependabot.yml configuration file. This allows developers to balance the need for enhanced security with their specific project requirements or deployment cycles.
143 comments • Comments Link
- 对软件包更新实施自动"冷却"期,旨在为安全研究人员和自动化扫描公司争取一个窗口期,以便在恶意代码扩散到更广泛用户之前识别并报告。
- 虽然冷却期可能促使攻击者开发更复杂的延时载荷或混淆手段,但这也迫使他们提高利用手法的复杂度,从而抬高攻击门槛并减少低成本、自动化攻击的发生。
- 自动化安全工具越来越擅长识别可疑的软件包特征,例如源代码与 registry 文件的不一致、异常混淆或缺乏版本历史记录,即便不观察运行时行为也能发现问题。
- 一些批评者认为,冷却期不过是权宜之计,把安全负担转嫁给第三方公司,可能制造虚假的安全感,同时延缓对依赖管理进行必要的系统性改进。
- 关于现代语言包管理器是否应采用 Linux 发行版使用的经过审查、自上而下的验证模式,还是坚持开放、自下而上的哲学,长期存在分歧。
- 对组织而言,高频率更新难以维持,容易导致"更新疲劳",并在需要在技术债务与持续变更风险之间权衡时,造成安全团队与工程师之间的摩擦。
- 当前形势暴露了软件开发的结构性弱点:对庞大且未经审查的依赖树的依赖,造成巨大的攻击面,却缺乏相应的问责制或正式的供应链验证。
- 有人建议在包生态中整合计费和商业许可管理,以激励更好的安全性和维护,但也有人警告这会增加摩擦并促使开发者构建定制替代方案。
- 归根结底,最有效的防御仍是严格最小化依赖并主动开展内部审计,因为依赖外部的"冷却"窗口或第三方验证无法消除受损软件的风险。
讨论的核心在于开放、低摩擦的软件包分发的便利性与日益严峻的供应链攻击现实之间的张力。许多人把"冷却期"视为一种务实但不完美的机制,为安全研究人员争取检测与响应时间;另一些人则将其视为现代软件构建与维护方式中更大规模系统性失败的征兆。是否应让语言生态转向更加集中、经过审核的模型目前尚无共识:社区对于此类审查带来的好处是否能超过可能抑制创新和管理复杂依赖树所引发的后勤难题存在严重分歧。归根结底,这场讨论反映出对当前安全状况的普遍疲惫感——开发者夹在不断修补的压力与对第三方代码盲目信任所带来的风险之间。 • Implementing an automatic "cooldown" period for package updates aims to create a window for security researchers and automated scanning firms to identify and report malicious code before it reaches the broader user base.
• While cooldowns may encourage attackers to develop more sophisticated time-delayed payloads or obfuscation tactics, this shift forces them to increase the complexity of their exploits, effectively raising the bar and reducing the frequency of low-effort, automated attacks.
• Automated security tools are increasingly capable of identifying suspicious package characteristics—such as discrepancies between source code and registry files, unusual obfuscation, or lack of version history—even without observing runtime behavior.
• Some critics argue that cooldowns are merely a stopgap that shifts the burden of security to third-party firms, potentially providing a false sense of security while delaying necessary, systemic improvements to dependency management.
• There is a persistent divide regarding whether modern language package managers should adopt the curated, top-down validation models used by Linux distributions or maintain their open, bottom-up philosophy.
• Maintaining a high frequency of updates can be difficult for organizations, leading to "update fatigue" and friction between security teams and engineers who must balance technical debt against the risks of constant change.
• The current environment highlights a structural weakness in software development where reliance on vast, unvetted dependency trees creates significant attack surfaces without corresponding accountability or formal supply chain verification.
• Some propose that integrated billing and commercial license management within package ecosystems could incentivize better security and maintenance, though others caution that this would increase friction and push developers toward building custom alternatives.
• Ultimately, the most effective defense remains the rigorous minimization of dependencies and proactive internal audits, as reliance on external "cooldown" windows or third-party validation does not eliminate the risk of compromised software.
The discussion centers on the tension between the convenience of open, frictionless package distribution and the rising reality of supply chain attacks. While many participants see "cooldowns" as a practical, albeit imperfect, mechanism to provide security researchers time to act, others view them as a symptom of a larger, systemic failure in how modern software is built and maintained. There is no clear consensus on whether language ecosystems should move toward more centralized, curated models, as the community remains deeply divided over whether the benefits of such vetting outweigh the potential for stifling innovation and the logistical nightmare of managing complex, deep dependency trees. Ultimately, the conversation reflects a shared fatigue regarding the current state of security, where developers feel caught between the pressure to patch relentlessly and the risks inherent in blindly trusting third-party code.