Cosmos security --------------- Security Policy +++++++++++++++ Check the project's `Security Policy `_ to learn how to report security vulnerabilities in Astronomer Cosmos and how security issues reported to the Astronomer Cosmos security team are handled. Dependency Update Cooldown ++++++++++++++++++++++++++ To mitigate the risk of supply chain attacks from newly released versions, Cosmos enforces a **7-day cooldown period** before merging automated dependency update pull requests. This cooldown gives time for the broader community to discover and report potential supply chain compromises in new releases before they are adopted into the project. This policy currently applies to: - GitHub Actions version updates - Pre-commit hook updates These updates are managed via `Dependabot `_, which is configured with a 7-day cooldown setting for these updates.