Support dependency-cooldowns / minimum-artifact-age to mitigate short-lived supply chain attacks #3757
Description
See:
- Dependabot supports configuration of a minimum package age - GitHub Blog, July 2025 - it's now very simple to configure Dependabot with a
cooldowntime period - a feature we don't yet have in Scala Steward - We should all be using dependency cooldowns - yossarian, November 2025 - highlights that the attack-window on many open source supply chain attacks is often only a few days - if an artifact is more than a week old, and has not been flagged by a supply chain security vendor, it is more likely to be safe to apply.
For Scala Steward, this issue is a revisit of a few old issues/PRs:
- Time-based delay configuration for new dependencies #1581 - this issue mentioned 2 connected problems: overly-frequent artifact updates from certain publishers (like the AWS SDK, updating daily with tiny, mostly uninteresting, API updates, causing many "expensive, long-running CI builds"), and the more general desire to avoid artifacts that have been very recently published ("sometimes brand new releases get unintentional breaking changes shipped out")
- Wait until currently used dependencies are sufficiently old before updating them #2322 - this was never completed, and closed in favour of:
- Add granular frequency control by groupId and artifactId #2515 - this allowed users to configure a slower update cadence for overly-frequent publishers like AWS, but just allowed applying the existing
pullRequests.frequencylogic to more specific artifact groups & ids - not changing the fact that sometimes very new dependencies would be promoted.
- Add granular frequency control by groupId and artifactId #2515 - this allowed users to configure a slower update cadence for overly-frequent publishers like AWS, but just allowed applying the existing
Sources of artifact-age data
Unfortunately, Maven does not currently encode a way to tell an artifact's publication date:
https://stackoverflow.com/q/69790966/438886
- Wait until currently used dependencies are sufficiently old before updating them #2322 (comment) - Frank points out that we want an approach that will work for all artifact repositories, not just Maven Central.
Questions
- How do we want to configure this? What should the configuration look like?