Dependabot Cooldown and GitHub Actions SHA Pinning — Supply Chain Defense for a Personal Blog
A Dependabot alert was the trigger to revisit the repository's automation: not just patching known CVEs, but also defending against maintainer-takeover supply chain attacks. This post bundles cooldown, Actions SHA pinning, npm overrides, ignore-scripts, and security-only auto-merge into one walkthrough.
securitysupply-chaindependabotgithub-actions