Be wary of upgrading dependencies too quickly. This is how supply chain incursions are able to spread too quickly. Time is a good firwall.

▲

ImJasonH 9 hours ago | parent | next [-]

Here's a Go mod proxy-proxy that lets you specify a cooldown, so you never get deps newer than N days/weeks/etc

https://github.com/imjasonh/go-cooldown

It's not running anymore but you get the idea. It should be very easy to deploy anywhere you want.

▲

esafak 9 hours ago | parent | prev | next [-]

They fixed that last summer: https://github.blog/changelog/2025-07-01-dependabot-supports...

	▲	jamietanna 9 hours ago \| parent [-]
		Yep, and we've had it for a while in Renovate too: https://docs.renovatebot.com/key-concepts/minimum-release-ag... (I'm a Renovate maintainer) (I agree with Filippo's post and it can also be applied to Renovate's security updates for Go modules - we don't have a way, right now, of ingesting better data sources like `govulncheck` when raising security PRs)

▲

bityard 8 hours ago | parent | prev | next [-]

A firwall also makes a good firewall, once ignited.

▲

Hamuko 9 hours ago | parent | prev [-]

>Time is a good firwall.

That just reminds me that I got a Dependabot alert for CVE-2026-25727 – "time vulnerable to stack exhaustion Denial of Service attack" – across multiple of my repositories.