Harden Dependabot config: cooldown + Go/Rust ecosystems

[rongxin-liu]

Summary

• Adds a cooldown buffer to every Dependabot ecosystem block.
• Adds gomod and cargo ecosystem coverage so existing Rust/Go advisories begin auto-filing.
• Normalizes the npm block's directory to the same root-relative form (/client) as the rest of the file.
• Resolves the open zizmor/dependabot-cooldown code-scanning alerts on .github/dependabot.yml.

Cooldown values

For ecosystems that track semver (npm, gomod, cargo):

cooldown:
  default-days: 7
  semver-major-days: 14
  semver-patch-days: 3

For ecosystems that do not track semver (github-actions is pinned by ref/SHA, docker base-image tags don't follow strict semver):

cooldown:
  default-days: 7

Notes on each value:

• default-days: 7 — Matches zizmor's documented dependabot-cooldown threshold and the broadly-cited "1 week" convention for letting a new release settle before auto-PR. Most documented supply-chain compromises in these ecosystems (xz-utils, ua-parser-js, eslint-scope, node-ipc) were detected and yanked within roughly 24–72 hours of the malicious release; 7 days is a comfortable margin over that observed window. semver-minor-days falls back to this value.
• semver-patch-days: 3 — Patch releases are predominantly bug or security fixes with small diffs and review surface, so the buffer is shortened to keep patch uptake fast.
• semver-major-days: 14 — Not for security but for non-security regression signal (API breakage, behavior drift) to surface in upstream issue trackers and downstream consumers before a major bump is auto-PR'd.

Cooldown applies only to version-update PRs. Security-update PRs driven by GHSA advisories bypass cooldown and file immediately, so this configuration does not lengthen exposure to known CVEs.

New ecosystems

gomod and cargo blocks use the directories: plural form to cover all module/crate roots in one entry each:

• gomod — server, server/fake-antminer, server/fake-proto-rig, plugin/proto, plugin/antminer, plugin/virtual, tests/plugin-contract
• cargo — sdk/rust/proto-fleet-plugin, plugin/asicrs

Both ecosystems group version updates into a single PR per ecosystem and ignore semver-major version-update PRs, mirroring the existing npm pattern. Security advisories ignore this filter and continue to file individually.

Until this change, neither ecosystem was being watched by Dependabot, which is why the 16 open Rust and 2 open transitive Go advisories had never produced auto-PRs.

What this closes

• The open zizmor/dependabot-cooldown code-scanning alerts on .github/dependabot.yml.
• Unblocks future auto-filing of Rust and Go advisories.

[Copilot]

Pull request overview

This PR hardens the repository’s Dependabot configuration by adding a consistent “cooldown” window for version updates and extending Dependabot coverage to Go modules and Rust crates across the monorepo, aiming to reduce supply-chain risk while enabling automated advisory-driven PR filing.

Changes:

• Added cooldown settings to each existing Dependabot update block.
• Added new gomod and cargo update blocks covering multiple module/crate roots via directories:.
• Grouped Go and Rust version updates into single PRs per ecosystem and ignored semver-major version updates.

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (a67a9e3bd8ce5c89cbec3ce14cc5b78cd2faab2a...bb1a5f8231cdfe365201b3dd6a3ecedc4e948328, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: MEDIUM

Findings

[MEDIUM] Wildcard major-version ignores can suppress security remediation paths

• Category: Infrastructure
• Location: .github/dependabot.yml:60, .github/dependabot.yml:79
• Description: The new Go and Rust Dependabot blocks ignore version-update:semver-major for every dependency. GitHub documents ignore as applying when Dependabot opens PRs for both version updates and security updates, and update-types can be used inside ignore to filter SemVer levels. (docs.github.com)
• Impact: If a vulnerable Go or Rust dependency is only fixed in a major release, Dependabot may not raise the remediation PR for the server, plugins, contract tests, Rust SDK, or ASIC plugin. That leaves security alerts requiring manual discovery/remediation and can delay fixes in network-facing miner management components.
• Recommendation: Do not use a wildcard major ignore for security-sensitive ecosystems. Prefer allowing Dependabot to open major security updates and control routine major version noise with grouping, review policy, or dependency-specific ignores with documented owners and expiration. If major updates must stay blocked, add a separate process that guarantees major-only security fixes are triaged.

Notes

The reviewed diff only changes .github/dependabot.yml; I did not find changed authentication, SQL, RPC, plugin runtime, frontend, protobuf, pool configuration, or command-execution code in scope. YAML parsing and git diff --check passed locally.

---

_{Generated by Codex Security Review |
Triggered by: @rongxin-liu |
Review workflow run}