chore: use npm ci --ignore-scripts everywhere (#699)

Like https://github.com/astral-sh/ruff-action/pull/276 🙂 This also adds cooldown stanzas to the Dependabot updater rules: this ensures that we only receive dependency bumps once they're at least a week old, which should reduce the window of opportunity for an attacker who temporarily compromises popular packages (like with "Shai-Hulud" last week). Signed-off-by: William Woodruff <william@astral.sh>
2025-12-23 11:01:03 +00:00 · 2025-12-02 02:08:49 -05:00
parent 5ae467fbf9
commit 64f7f4e15f
4 changed files with 8 additions and 4 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,8 +4,12 @@ updates:
    directory: /
    schedule:
      interval: daily
+    cooldown:
+      default-days: 7

  - package-ecosystem: npm
    directory: /
    schedule:
      interval: daily
+    cooldown:
+      default-days: 7