New check: Dependency cooldown configuration

[mfisher87]

I feel that dependency cooldowns are an underappreciated best practice. In light of the ongoing spate supply chain attacks happening right now, I think it would be awesome for the repo review checks to ensure the repo has dependency cooldowns configured.

E.g. in pyproject.toml:

[tool.uv]
# "Dependency cooldown" to help prevent supply chain attacks
#    See: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
exclude-newer = "7 days"

prek auto-update also supports a --cooldown-days setting:

https://prek.j178.dev/cli/#prek-auto-update--cooldown-days

Though it's not configurable (yet): j178/prek#1765

[henryiii]

Zizmor supports this for dependabot. I've been thinking about adding a check for zizmor.

Dependabot about now supports pre-commit, and that also supports a cooldown. I've recently enabled checking for dependabot settings as an alternative to pre-commit. Maybe we could check for that setting if you're using dependabot for pre-commit.

It's hard to do this generically, or even know if you want to do it for some cases. This repo-review plugin is rather heavily biased toward the library usage, where I don't think it is best. You want to know if one of your dependencies breaks you as quickly as possible. That's why I don't like lock files for libraries either. We also don't assume that you're using uv.

For an application (like a website or something), I think it's generally a very good idea. Maybe setting up a new repo review plug-in for applications would make sense.

Also, I'm not really fond of this method of security for everyone, because if everyone does it, then that means that everything simply sits around for seven days, and then gets discovered. By putting a delay, you are expecting other people to get caught by the problem rather than you. For some repositories that are high risk, that is worth it, but I don't know if it should be applied to everyone via a check.

[henryiii]

It overlaps with zizmor, but we could do a cooldown check for actions in dependabot as well. If we add a check for zizmor, that might be redundant.

[mfisher87]

💯 on zizmor + dependabot checks

There's definitely overlap, but afaik dependabot won't check for a lot of things zizmor does, e.g. hashpinning, or unsafe use of the pull_request_target trigger. I'd love to see both checks in the repo reviewer!

[henryiii]

Oh, we could also check for using token based publishing instead of trusted publishing, at least with the official action.

[mfisher87]

💯 Yes, love that! Many don't know there's a better way, and (to me) that's the biggest value of the repo reviewer :)