Skip to content

feat(renovate): Wait 2 days to use latest k8s #13694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 13, 2025
Merged

feat(renovate): Wait 2 days to use latest k8s #13694

merged 1 commit into from
Nov 13, 2025

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Nov 12, 2025

When a new k8s is released, tests with Minikube are failing because it is not fully ready to use the latest version. If Renovate waits 2 days, nothing critical will happen, and the review process will be much smoother (no need to troubleshoot why tests are failing).

@dryrunsecurity
Copy link

dryrunsecurity bot commented Nov 12, 2025

DryRun Security

This pull request introduces a 2-day deliberate delay for automated Kubernetes dependency updates via a minimumReleaseAge setting, which could leave the system exposed to newly disclosed high-severity vulnerabilities for up to 48 hours. While not flagged as blocking, this configuration increases security risk by postponing the application of critical patches.

Delayed Security Patching for Kubernetes in .github/renovate.json
Vulnerability Delayed Security Patching for Kubernetes
Description The configuration introduces a 'minimumReleaseAge' of '2 days' for Kubernetes dependencies. This intentionally delays automated updates, including critical security patches, for 48 hours. This delay creates a window of exposure where the system could remain vulnerable to newly disclosed high-severity exploits before a patch is applied.

django-DefectDojo/.github/renovate.json

Lines 40 to 43 in 779f958

"minimumReleaseAge": "2 days"
}],
"customDatasources": {
"endoflife-oldest-maintained": {

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.52.2 milestone Nov 12, 2025
mtesauro
mtesauro approved these changes Nov 13, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten merged commit 856aa7a into DefectDojo:bugfix Nov 13, 2025
149 checks passed
@kiblik kiblik deleted the renovate_minimumReleaseAge_k8s branch November 13, 2025 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.52.2

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @valentijnscholten @Maffooch @Jino-T