On Cooldowns and Dependabot Tuning · olafalders.com&darr;<br>Skip to main content

Latest Articles

Hire Me

Projects

PrettyGoodPing

is: an inspector for your environment

MetaCPAN

My dotfiles

Categories

About

Feed

Table of Contents<br>Table of Contents

"Iceberg" by longhorndave is licensed under CC BY 2.0 .<br>Dependabot&rsquo;s defaults can make it look like an agent of chaos. There are a<br>couple of things you can do to turn down the churn from 11.<br>package manager cooldowns<br>Dependabot groups<br>an LLM skill to implement items 1 and 2<br>Cooldowns<br>The idea behind cooldowns is essentially that unless you&rsquo;re constantly in YOLO<br>mode, you probably don&rsquo;t need something that was released to the world 5<br>minutes or even 5 days ago. Yes, there are exceptions (security updates, some<br>brand new thing, etc). Just waiting a few days (or a week) can reduce your<br>exposure to supply chain attacks because a large percentage of compromised<br>packages will have been discovered in the hours/days after a release. It&rsquo;s not<br>a silver bullet, but it mitigates your exposure to some extent.<br>Dependabot groups<br>The idea behind Dependabot groups is that you have an escape hatch out of<br>Dependabot pull request hell, where X pull requests are opened that all touch<br>the same files, generally require rebasing if you merge them serially, and<br>sometimes break your CI because they should have been bundled together.<br>If you&rsquo;ve ever been in the position of Dependabot proposing major version<br>upgrades to the upload-artifact<br>action and the download-artifact<br>action in discrete pull requests, you probably know what I&rsquo;m talking about.<br>Neither PR on its own will pass CI. Merging either PR breaks your top level CI.<br>You either need to fix this manually by combining the PRs before merge or merge<br>both broken PRs individually and hope for the best. Similarly, if you<br>have a bunch of different minor version updates to your npm dependencies, which<br>all touch the same lockfile, you may also appreciate being able to group your<br>dependencies.<br>The skill<br>I have too many repositories to want to manage this by hand, especially when I<br>have a number of slightly different dependabot configs. There&rsquo;s not necessarily<br>a one-size-fits-all solution. So, a good fit for me is to use a Claude skill<br>to update my<br>deps.1<br>My &ldquo;tune dependabot&rdquo; skill will examine a dependabot config and apply cooldowns<br>as well as groups, where needed. If the config does not yet exist, it&rsquo;s happy<br>to create a new one from scratch. For me this is a quality of life thing as I<br>have accumulated too many repositories for this kind of banal work to be<br>enjoyable. In addition to the security benefits, it also reduces some of the<br>friction that comes with having to merge a lot of dependabot pull requests on<br>an ongoing basis.<br>A tuned config<br>Here&rsquo;s a sample, tuned config file. GitHub Actions gets two groups: major<br>version bumps are batched together so that changes to things like<br>upload-artifact and download-artifact can be merged together, with minor and<br>patch updates bundled into their own pull request. The gomod and npm<br>ecosystems only group minor and patch updates, which allows the major version<br>bumps to be tested in isolation. Every ecosystem gets a one week cooldown<br>period.<br>version: 2<br>updates:<br>- package-ecosystem: "github-actions"<br>directory: "/"<br>schedule:<br>interval: weekly<br>groups:<br>major-updates:<br>patterns:<br>- "*"<br>update-types:<br>- "major"<br>minor-and-patch:<br>patterns:<br>- "*"<br>update-types:<br>- "minor"<br>- "patch"<br>cooldown:<br>default-days: 7<br>- package-ecosystem: gomod<br>directory: "/go"<br>schedule:<br>interval: weekly<br>open-pull-requests-limit: 10<br>groups:<br>minor-and-patch:<br>patterns:<br>- "*"<br>update-types:<br>- "minor"<br>- "patch"<br>cooldown:<br>default-days: 7<br>- package-ecosystem: npm<br>directory: "/"<br>schedule:<br>interval: weekly<br>open-pull-requests-limit: 10<br>groups:<br>minor-and-patch:<br>patterns:<br>- "*"<br>update-types:<br>- "minor"<br>- "patch"<br>cooldown:<br>default-days: 7

This gets me fewer rebases, boring CI, and a few extra days of waiting while<br>the rest of the world identifies the bad actors.<br>Written with Superpowers, as usual. ↩︎

Related

AI Shoulder Surf V1<br>March 16, 2026·1231 words·6 mins<br>AI<br>automation

Can Others Explain My Work Without Me?<br>January 15, 2026·1739 words·9 mins<br>AI<br>writing

Oops! I just broke git-bisect<br>January 5, 2026·907 words·5 mins<br>Git

&uarr;