From 3340e90628ec6d49079066b8c210114de213b55b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Koz=C5=82owski?= Date: Wed, 27 May 2026 18:55:03 +0200 Subject: [PATCH 1/2] Add Scala Steward cooldown documentation Documents the updates.cooldown.minimumAge config (0.38.0) and dependencyOverrides (0.38.1) under a new Scala / JVM section. Co-Authored-By: Claude Opus 4.7 --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ docs/index.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+) diff --git a/README.md b/README.md index 8e246a5..71005bf 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ + # Dependency Cooldowns In March 2026 alone, three widely-used packages were compromised after attackers gained access to tokens used to publish @@ -290,6 +291,47 @@ export COOLDOWN_MINUTES=4320 # 3 days, in minutes cargo cooldown build ``` +## Scala / JVM Ecosystem + +### Scala Steward + +[Scala Steward](https://github.com/scala-steward-org/scala-steward) is a bot that opens dependency update +PRs for JVM projects. Despite its name, it works with multiple build tools (sbt, Mill, Maven, Gradle, and +others). It added a cooldown feature in version 0.38.0, with more detailed configuration in 0.38.1. +Cooldowns are configured per-repository in a `.scala-steward.conf` file at the root of the project: + +```hocon +updates.cooldown = { + minimumAge = "3 days" +} +``` + +Scala Steward calculates a version's age from when it first observed the version, and ignores updates +younger than `minimumAge`. + +You can also override the cooldown for specific dependencies via `dependencyOverrides`: + +```hocon +updates.cooldown = { + minimumAge = "3 days" +} + +dependencyOverrides = [ + { + dependency = { groupId = "com.my-company" }, + cooldown = { minimumAge = "0 days" } + }, + { + dependency = { groupId = "com.example", artifactId = "foo" }, + cooldown = { minimumAge = "14 days" } + } +] +``` + +The first matching entry wins, so list more specific patterns before broader ones. See the +[Scala Steward repo-specific configuration docs](https://github.com/scala-steward-org/scala-steward/blob/main/docs/repo-specific-configuration.md) +for more information. + ## Other ecosystems These language ecosystems currently offer no native cooldown support. There's @@ -482,6 +524,7 @@ RUN cooldowns.sh check | Bun | Relative durations | `minimumReleaseAge = 259200` in `bunfig.toml` | | Deno | Relative durations | `minimumDependencyAge: "P3D"` in `deno.json` | | Cargo | Third-party only | `cargo cooldown ` via `cargo-cooldown` crate | +| Scala Steward | Relative durations (0.38.0+) | `updates.cooldown.minimumAge = "3 days"` in `.scala-steward.conf` | | Go | Not available | Dependabot/Renovate only | | Maven/Gradle | Not available | Dependabot/Renovate only | | NuGet | Not available | Dependabot/Renovate only | diff --git a/docs/index.md b/docs/index.md index 6d98085..6be77fb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -297,6 +297,47 @@ export COOLDOWN_MINUTES=4320 # 3 days, in minutes cargo cooldown build ``` +## Scala / JVM Ecosystem + +### Scala Steward + +[Scala Steward](https://github.com/scala-steward-org/scala-steward) is a bot that opens dependency update +PRs for JVM projects. Despite its name, it works with multiple build tools (sbt, Mill, Maven, Gradle, and +others). It added a cooldown feature in version 0.38.0, with more detailed configuration in 0.38.1. +Cooldowns are configured per-repository in a `.scala-steward.conf` file at the root of the project: + +```hocon +updates.cooldown = { + minimumAge = "3 days" +} +``` + +Scala Steward calculates a version's age from when it first observed the version, and ignores updates +younger than `minimumAge`. + +You can also override the cooldown for specific dependencies via `dependencyOverrides`: + +```hocon +updates.cooldown = { + minimumAge = "3 days" +} + +dependencyOverrides = [ + { + dependency = { groupId = "com.my-company" }, + cooldown = { minimumAge = "0 days" } + }, + { + dependency = { groupId = "com.example", artifactId = "foo" }, + cooldown = { minimumAge = "14 days" } + } +] +``` + +The first matching entry wins, so list more specific patterns before broader ones. See the +[Scala Steward repo-specific configuration docs](https://github.com/scala-steward-org/scala-steward/blob/main/docs/repo-specific-configuration.md) +for more information. + ## Other ecosystems These language ecosystems currently offer no native cooldown support. There's @@ -489,6 +530,7 @@ RUN cooldowns.sh check | Bun | Relative durations | `minimumReleaseAge = 259200` in `bunfig.toml` | | Deno | Relative durations | `minimumDependencyAge: "P3D"` in `deno.json` | | Cargo | Third-party only | `cargo cooldown ` via `cargo-cooldown` crate | +| Scala Steward | Relative durations (0.38.0+) | `updates.cooldown.minimumAge = "3 days"` in `.scala-steward.conf` | | Go | Not available | Dependabot/Renovate only | | Maven/Gradle | Not available | Dependabot/Renovate only | | NuGet | Not available | Dependabot/Renovate only | From a0db56e137ca22c4e87e853172270983c7b4c9cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Koz=C5=82owski?= Date: Wed, 27 May 2026 19:01:06 +0200 Subject: [PATCH 2/2] Recommend 1-day cooldown for internal libraries Internal libraries may still bundle third-party transitive dependencies that were bumped by hand, so a small cooldown is safer than zero. Co-Authored-By: Claude Opus 4.7 --- README.md | 7 +++++-- docs/index.md | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 71005bf..c4639d2 100644 --- a/README.md +++ b/README.md @@ -319,7 +319,7 @@ updates.cooldown = { dependencyOverrides = [ { dependency = { groupId = "com.my-company" }, - cooldown = { minimumAge = "0 days" } + cooldown = { minimumAge = "1 day" } }, { dependency = { groupId = "com.example", artifactId = "foo" }, @@ -328,7 +328,10 @@ dependencyOverrides = [ ] ``` -The first matching entry wins, so list more specific patterns before broader ones. See the +The first matching entry wins, so list more specific patterns before broader ones. Note that even for +internal/company-controlled libraries it's worth keeping a small cooldown (e.g. one day) rather than zero: +those libraries can still pull in third-party transitive dependencies that were updated by hand and may +themselves be compromised. See the [Scala Steward repo-specific configuration docs](https://github.com/scala-steward-org/scala-steward/blob/main/docs/repo-specific-configuration.md) for more information. diff --git a/docs/index.md b/docs/index.md index 6be77fb..7b4be34 100644 --- a/docs/index.md +++ b/docs/index.md @@ -325,7 +325,7 @@ updates.cooldown = { dependencyOverrides = [ { dependency = { groupId = "com.my-company" }, - cooldown = { minimumAge = "0 days" } + cooldown = { minimumAge = "1 day" } }, { dependency = { groupId = "com.example", artifactId = "foo" }, @@ -334,7 +334,10 @@ dependencyOverrides = [ ] ``` -The first matching entry wins, so list more specific patterns before broader ones. See the +The first matching entry wins, so list more specific patterns before broader ones. Note that even for +internal/company-controlled libraries it's worth keeping a small cooldown (e.g. one day) rather than zero: +those libraries can still pull in third-party transitive dependencies that were updated by hand and may +themselves be compromised. See the [Scala Steward repo-specific configuration docs](https://github.com/scala-steward-org/scala-steward/blob/main/docs/repo-specific-configuration.md) for more information.