Reading up on Renovate
2 deep · digging since mar 01
- Package Managers Need to Cool Down
A survey finds that while many package managers and update tools have adopted dependency cooldowns to prevent supply chain attacks, implementations vary wildly in naming, scope, and timestamp handling, and major ecosystems like Go, Maven, and Gradle still lack support.
- Turn Dependabot off
Dependabot's version-based security alerts are noisy and less effective than static analysis tools that check reachability of vulnerable functions.