[CI] Dependabot: add a cooldown period for new releases

jbampton · jbampton · commit 80f462963012 · 2026-01-08T01:11:55.000+10:00
Enforces security best practices by requiring a minimum age for new dependency releases before they are automatically updated by Dependabot. This practice, known as a "cooldown period," helps mitigate supply chain attacks by allowing time for frequently published malicious packages to be identified. https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -26,3 +26,5 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
