依赖更新机器人治理（Dependabot-Renovate-审批-速率）最佳实践

核心要点限制每日/每周 PR 数量与并发；设定更新窗口与冻结期。生态与作用域白名单；关键依赖升级需人工审批与测试通过。实现示例type Update = { pkg: string; ecosystem: 'npm' | 'docker' | 'github-actions'; time: number } type Policy = { dailyMax: number; weeklyMax: number; allowEco: Set<string>; window: { start: number; end: number } } function within(w: { start: number; end: number }, t: number): boolean { return t >= w.start && t <= w.end } function countInRange(history: Update[], start: number, end: number): number { return history.filter(u => u.time >= start && u.time <= end).length } function evaluate(history: Update[], policy: Policy, now: number): { ok: boolean; errors: string[] } { const errors: string[] = [] if (!within(policy.window, now)) errors.push('window') const dayStart = now - 24 * 60 * 60 * 1000 const weekStart = now - 7 * 24 * 60 * 60 * 1000 const d = countInRange(history, dayStart, now) const w = countInRange(history, weekStart, now) if (d > policy.dailyMax) errors.push('daily') if (w > policy.weeklyMax) errors.push('weekly') for (const u of history) if (!policy.allowEco.has(u.ecosystem)) errors.push(`eco:${u.ecosystem}`) return { ok: errors.length === 0, errors } } 审计与CI门禁审计记录 PR 数量、生态与时间窗口；超限阻断并输出证据。关键升级需审批与测试通过；冻结期内默认拒绝非紧急更新。