Dependabot on olafalders.comhttps://www.olafalders.com/categories/dependabot/Recent content in Dependabot on olafalders.comHugo -- gohugo.ioen© 2026 Olaf AldersTue, 19 May 2026 00:00:00 +0000On Cooldowns and Dependabot Tuninghttps://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/Tue, 19 May 2026 00:00:00 +0000https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/Dependabot's defaults can make it look like an agent of chaos. Cooldowns, dependency groups, and a Claude skill turn down the churn from 11.<!-- markdownlint-disable MD003 MD033 MD046 --> <p><a href="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured.jpeg" ><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="auto" alt="featured" width="2048" height="1152" src="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured_hu_9a2ec17ba15737ab.jpeg" srcset="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured_hu_9a2ec17ba15737ab.jpeg 800w, https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured_hu_fd46ea94c5019e09.jpeg 1280w" sizes="(min-width: 768px) 50vw, 65vw" data-zoom-src="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured.jpeg"></figure> </a></p> <!-- markdownlint-disable-line --><p class="attribution">"Iceberg" by longhorndave is licensed under <a rel="noopener noreferrer" href="https://creativecommons.org/licenses/by/2.0/?ref=openverse">CC BY 2.0 <img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg" style="height: 1em; margin-right: 0.125em; display: inline;" /><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg" style="height: 1em; margin-right: 0.125em; display: inline;" /></a>.</p> <p>Dependabot&rsquo;s defaults can make it look like an agent of chaos. There are a couple of things you can do to turn down the churn from 11.</p> <ol> <li><a href="https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html" target="_blank">package manager cooldowns</a></li> <li><a href="https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates#grouping-related-dependencies-together" target="_blank">Dependabot groups</a></li> <li><a href="https://github.com/oalders/kitchen-sink/blob/bba1217882b1570d081623190784404f69dec6c5/skills/tune-dependabot-config/SKILL.md" target="_blank">an LLM skill to implement items 1 and 2</a></li> </ol> <h2 class="relative group">Cooldowns <div id="cooldowns" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#cooldowns" aria-label="Anchor">#</a> </span> </h2> <p>The idea behind cooldowns is essentially that unless you&rsquo;re constantly in YOLO mode, you probably don&rsquo;t need something that was released to the world 5 minutes or even 5 days ago. Yes, there are exceptions (security updates, some brand new thing, etc). Just waiting a few days (or a week) can reduce your exposure to supply chain attacks because a large percentage of compromised packages will have been discovered in the hours/days after a release. It&rsquo;s not a silver bullet, but it mitigates your exposure to some extent.</p> <h2 class="relative group">Dependabot groups <div id="dependabot-groups" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#dependabot-groups" aria-label="Anchor">#</a> </span> </h2> <p>The idea behind Dependabot groups is that you have an escape hatch out of Dependabot pull request hell, where X pull requests are opened that all touch the same files, generally require rebasing if you merge them serially, and sometimes break your CI because they should have been bundled together.</p> <p>If you&rsquo;ve ever been in the position of Dependabot proposing major version upgrades to the <a href="https://github.com/actions/upload-artifact" target="_blank">upload-artifact</a> action and the <a href="https://github.com/actions/download-artifact" target="_blank">download-artifact</a> action in discrete pull requests, you probably know what I&rsquo;m talking about. Neither PR on its own will pass CI. Merging either PR breaks your top level CI. You either need to fix this manually by combining the PRs before merge or merge both broken PRs individually and hope for the best. Similarly, if you have a bunch of different minor version updates to your npm dependencies, which all touch the same lockfile, you may also appreciate being able to group your dependencies.</p> <h2 class="relative group">The skill <div id="the-skill" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-skill" aria-label="Anchor">#</a> </span> </h2> <p>I have too many repositories to want to manage this by hand, especially when I have a number of slightly different dependabot configs. There&rsquo;s not necessarily a one-size-fits-all solution. So, a good fit for me is to use <a href="https://github.com/oalders/kitchen-sink/blob/bba1217882b1570d081623190784404f69dec6c5/skills/tune-dependabot-config/SKILL.md" target="_blank">a Claude skill to update my deps</a>.<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> My &ldquo;tune dependabot&rdquo; skill will examine a dependabot config and apply cooldowns as well as groups, where needed. If the config does not yet exist, it&rsquo;s happy to create a new one from scratch. For me this is a quality of life thing as I have accumulated too many repositories for this kind of banal work to be enjoyable. In addition to the security benefits, it also reduces some of the friction that comes with having to merge a lot of dependabot pull requests on an ongoing basis.</p> <h2 class="relative group">A tuned config <div id="a-tuned-config" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#a-tuned-config" aria-label="Anchor">#</a> </span> </h2> <p>Here&rsquo;s a sample, tuned config file. GitHub Actions gets two groups: major version bumps are batched together so that changes to things like <code>upload-artifact</code> and <code>download-artifact</code> can be merged together, with minor and patch updates bundled into their own pull request. The <code>gomod</code> and <code>npm</code> ecosystems only group minor and patch updates, which allows the major version bumps to be tested in isolation. Every ecosystem gets a one week cooldown period.</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">updates</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">package-ecosystem</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;github-actions&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">directory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">weekly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">groups</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">major-updates</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">update-types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;major&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">minor-and-patch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">update-types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;minor&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;patch&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cooldown</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default-days</span><span class="p">:</span><span class="w"> </span><span class="m">7</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">package-ecosystem</span><span class="p">:</span><span class="w"> </span><span class="l">gomod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">directory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/go&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">weekly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">open-pull-requests-limit</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">groups</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">minor-and-patch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">update-types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;minor&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;patch&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cooldown</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default-days</span><span class="p">:</span><span class="w"> </span><span class="m">7</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">package-ecosystem</span><span class="p">:</span><span class="w"> </span><span class="l">npm</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">directory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">weekly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">open-pull-requests-limit</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">groups</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">minor-and-patch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">update-types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;minor&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;patch&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cooldown</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default-days</span><span class="p">:</span><span class="w"> </span><span class="m">7</span></span></span></code></pre></div></div> <p>This gets me fewer rebases, boring CI, and a few extra days of waiting while the rest of the world identifies the bad actors.</p> <div class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1"> <p>Written with <a href="https://github.com/obra/superpowers" target="_blank">Superpowers</a>, as usual.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> </ol> </div> <p><a href="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/">Read on website</a></p>