Cosmos security

Security Policy

Check the project’s Security Policy to learn how to report security vulnerabilities in Astronomer Cosmos and how security issues reported to the Astronomer Cosmos security team are handled.

Dependency Update Cooldown

To mitigate the risk of supply chain attacks from newly released versions, Cosmos enforces a 7-day cooldown period before merging automated dependency update pull requests. This cooldown gives time for the broader community to discover and report potential supply chain compromises in new releases before they are adopted into the project.

This policy currently applies to:

• GitHub Actions version updates

• Pre-commit hook updates

These updates are managed via Dependabot, which is configured with a 7-day cooldown setting for these updates.