top | item 47094562

(no title)

seg_lol | 9 days ago

Be wary of upgrading dependencies too quickly. This is how supply chain incursions are able to spread too quickly. Time is a good firwall.

discuss

ImJasonH|9 days ago

Here's a Go mod proxy-proxy that lets you specify a cooldown, so you never get deps newer than N days/weeks/etc

https://github.com/imjasonh/go-cooldown

It's not running anymore but you get the idea. It should be very easy to deploy anywhere you want.

esafak|9 days ago

They fixed that last summer: https://github.blog/changelog/2025-07-01-dependabot-supports...

jamietanna|9 days ago

Yep, and we've had it for a while in Renovate too: https://docs.renovatebot.com/key-concepts/minimum-release-ag...

(I'm a Renovate maintainer)

(I agree with Filippo's post and it can also be applied to Renovate's security updates for Go modules - we don't have a way, right now, of ingesting better data sources like `govulncheck` when raising security PRs)

Hamuko|9 days ago

>Time is a good firwall.

That just reminds me that I got a Dependabot alert for CVE-2026-25727 – "time vulnerable to stack exhaustion Denial of Service attack" – across multiple of my repositories.

bityard|9 days ago

A firwall also makes a good firewall, once ignited.