依赖更新机器人治理（Dependabot-Renovate-审批-速率）最佳实践

核心要点限制每日/每周 PR 数量与并发；设定更新窗口与冻结期。生态与作用域白名单；关键依赖升级需人工审批与测试通过。实现示例type Update = { pkg: string; ecosystem: 'npm' | 'docker' | 'github-actions'; time: number }

type Policy = { dailyMax: number; weeklyMax: number; allowEco: Set<string>; window: { start: number; end: number } }

function within(w: { start: number; end: number }, t: number): boolean { return t >= w.start && t <= w.end }

function countInRange(history: Update[], start: number, end: number): number { return history.filter(u => u.time >= start && u.time <= end).length }

function evaluate(history: Update[], policy: Policy, now: number): { ok: boolean; errors: string[] } {

const errors: string[] = []

if (!within(policy.window, now)) errors.push('window')

const dayStart = now - 24 * 60 * 60 * 1000

const weekStart = now - 7 * 24 * 60 * 60 * 1000

const d = countInRange(history, dayStart, now)

const w = countInRange(history, weekStart, now)

if (d > policy.dailyMax) errors.push('daily')

if (w > policy.weeklyMax) errors.push('weekly')

for (const u of history) if (!policy.allowEco.has(u.ecosystem)) errors.push(`eco:${u.ecosystem}`)

return { ok: errors.length === 0, errors }

}

审计与CI门禁审计记录 PR 数量、生态与时间窗口；超限阻断并输出证据。关键升级需审批与测试通过；冻结期内默认拒绝非紧急更新。