cljoly / rusqlite_migration

95%

master: 95%

LAST BUILD ON BRANCH deps-cool

branch: deps-cool

CHANGE BRANCH

x

Reset

Sync Branches

• deps-cool
• 1.3.0-alpha
• 1.3.1
• 220
• NOBLES5E/master
• add-benchmarks
• add-coveralls-badge
• additional-async-tests
• alpha-130-without-async
• arc-async
• async-pkg
• back-ubuntu-latest
• badges-update
• borked-ci
• bump
• bump-test-coverage
• bump-v110a2
• cargo-locked
• change-coverage-runner
• changelog-1.0.2
• changelog-update
• changelog-update-20
• changelog-update-20-alpha
• ci-perms
• cj/bump
• cj/ci-speed-up
• cj/display-m
• cj/opt-in-val
• cj/refactor-tests
• cj/test-valid-ms
• cleanup-ci
• cleanup-tests
• clement/force-run-ci
• clippy-fixes
• clippy-fixes-nov24
• cljoly-codeowner
• cljoly-patch-1
• cljoly-typo
• const-mirgrations-new
• coverage
• cow-lite
• dependabot/cargo/anyhow-1.0.100
• dependabot/cargo/anyhow-1.0.81
• dependabot/cargo/anyhow-1.0.82
• dependabot/cargo/anyhow-1.0.83
• dependabot/cargo/anyhow-1.0.86
• dependabot/cargo/anyhow-1.0.87
• dependabot/cargo/anyhow-1.0.88
• dependabot/cargo/anyhow-1.0.89
• dependabot/cargo/anyhow-1.0.90
• dependabot/cargo/anyhow-1.0.91
• dependabot/cargo/anyhow-1.0.92
• dependabot/cargo/anyhow-1.0.93
• dependabot/cargo/anyhow-1.0.94
• dependabot/cargo/anyhow-1.0.95
• dependabot/cargo/anyhow-1.0.96
• dependabot/cargo/anyhow-1.0.97
• dependabot/cargo/anyhow-1.0.98
• dependabot/cargo/anyhow-1.0.99
• dependabot/cargo/criterion-0.5
• dependabot/cargo/criterion-0.6.0
• dependabot/cargo/criterion-0.7.0
• dependabot/cargo/env_logger-0.11
• dependabot/cargo/env_logger-0.11.1
• dependabot/cargo/env_logger-0.11.5
• dependabot/cargo/env_logger-0.11.6
• dependabot/cargo/include_dir-0.7.4
• dependabot/cargo/insta-1.37.0
• dependabot/cargo/insta-1.38.0
• dependabot/cargo/insta-1.39.0
• dependabot/cargo/insta-1.40.0
• dependabot/cargo/insta-1.41.0
• dependabot/cargo/insta-1.41.1
• dependabot/cargo/insta-1.43.0
• dependabot/cargo/insta-1.43.1
• dependabot/cargo/insta-1.43.2
• dependabot/cargo/insta-1.44.1
• dependabot/cargo/lazy_static-1.5.0
• dependabot/cargo/log-0.4.21
• dependabot/cargo/log-0.4.22
• dependabot/cargo/log-0.4.25
• dependabot/cargo/log-0.4.26
• dependabot/cargo/log-0.4.27
• dependabot/cargo/log-0.4.28
• dependabot/cargo/mio-0.8.11
• dependabot/cargo/rusqlite-0.32.1
• dependabot/cargo/slab-0.4.11
• dependabot/cargo/tokio-1.36.0
• dependabot/cargo/tokio-1.37.0
• dependabot/cargo/tokio-1.38.0
• dependabot/cargo/tokio-1.38.1
• dependabot/cargo/tokio-1.39.1
• dependabot/cargo/tokio-1.39.2
• dependabot/cargo/tokio-1.39.3
• dependabot/cargo/tokio-1.40.0
• dependabot/cargo/tokio-1.41.0
• dependabot/cargo/tokio-1.41.1
• dependabot/cargo/tokio-1.42.0
• dependabot/cargo/tokio-1.43.0
• dependabot/cargo/tokio-1.44.0
• dependabot/cargo/tokio-1.44.1
• dependabot/cargo/tokio-1.44.2
• dependabot/cargo/tokio-1.45.0
• dependabot/cargo/tokio-1.45.1
• dependabot/cargo/tokio-1.46.0
• dependabot/cargo/tokio-1.47.0
• dependabot/cargo/tokio-1.47.1
• dependabot/cargo/tokio-1.48.0
• dependabot/cargo/tokio-test-0.4.4
• dependabot/cargo/zerocopy-0.7.32
• deprecate-new_iter
• deps-trimming
• dir-no-leading-0
• doc-badges
• doc-fixes
• doc-improvements
• doc-readme-sync
• doc-updates
• docsrs-list-features
• dont-pin-exact-rusqlite-version
• down-foreign-key-check
• eq-tests
• error-tests
• exp-readme
• fix-and-shard-mutants
• fix-ci
• fix-ci-lint
• fix-clippy-error
• fix-deprecated-insta-macro
• fix-deprs-shield
• fix-docs
• fix-lock
• fix-readme-deps-badge
• fix-source-mapping
• fix-typo
• fix-typo-feature-name
• fix-typos
• from-directory
• handle-extra_check
• ignore-artefacts
• improved-edit-api
• insta-doc
• jolycl/1755207812
• keep-api-compat-tests
• license-notices
• lite
• manifest-fresh-paint
• master
• md-links
• metadata-doc
• migrations-to-apply
• misc-clean-up
• misc-improvements
• modernize-cargo-toml
• more-tests
• move-benchmarks
• msrv
• multi-errors-fkc
• mutants-fixes
• new-tokio-rusqlite
• nightly-coverage
• on-push
• openssf
• optimize-from_directory
• out-of-bound-user-version
• patch-1
• pedantic-fixes
• prep-without-tokio
• pub-max_schema_version
• readme-sourcehut
• refactor-tests
• refresh-cargo-toml
• refs/pull/102/merge
• refs/pull/103/merge
• refs/pull/163/merge
• refs/tags/v1.1.0
• refs/tags/v1.1.0-alpha.2
• refs/tags/v1.1.0-beta.1
• refs/tags/v1.2.0
• refs/tags/v1.2.0-beta.1
• refs/tags/v1.3.0
• refs/tags/v1.3.0-alpha-without-tokio.1
• refs/tags/v1.3.0-beta.1
• refs/tags/v1.3.1
• refs/tags/v2.0.0
• refs/tags/v2.0.0-alpha.1
• refs/tags/v2.0.0-beta.1
• refs/tags/v2.1.0
• refs/tags/v2.2.0
• refs/tags/v2.2.0-beta.1
• refs/tags/v2.3.0
• release-110-beta1
• remove-async-iter2
• remove-badge
• remove-btreemap
• remove-dead-code
• remove-new-iter
• rename-async-feature-to-alpha
• require-new-rusqlite
• rusqlite-033
• rusqlite-036
• rust-180
• simpler-doc-generation
• speed-up-mutants
• test-duplication-fix
• test-fmt
• tweak-coverage
• tweak-docs
• update-actions
• update-cargo-mutants
• update-mutants-24.2
• update-rusqlite
• v1.1.0
• version-120
• version-120-beta1
• version-130
• version-130-beta-1
• version-200
• version-200-beta-1
• version-200-beta-1-next
• version-210

Build # 19595761232

Build Type

Pull #305

github

Committed by cljoly

Commit Message

ci: introduce dependency cool down

Supply chain attacks have become quite common recently. To limit this
risk, [one simple idea](https://lobste.rs/s/rygog1/) is to have a
cool down period, where new dependencies are not merged. While I review
the changes made in a version, it’s possible I miss something and merge
a vulnerable version. So let’s be a bit more cautious moving forward.

Note that this only applies to updates that are not security fixes:

> The cooldown option is only available for version updates, not security updates.

[GitHub docs](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference?versionId=free-pro-team%40latest&productId=code-security&restPage=dependabot#cooldown-)

While we are at it, remove the deps.rs badge. This is often broken,
displaying “depenencies unknown” and when it does work, it will say that
depenencies are out of date for longer because of the cooldown period.

Having a badge always green at the expense of a higher supply chain risk
is not the right tradeoff at this point.

Pull Request Pull Request #305: ci: introduce dependency cool down

Run Details

338 of 357 relevant lines covered (94.68%)

5.1 hits per line