From 80f462963012e648e3878e9fdd85cc63ed0b3e44 Mon Sep 17 00:00:00 2001
From: John Bampton <jbampton@gmail.com>
Date: Thu, 8 Jan 2026 01:11:50 +1000
Subject: [PATCH] [CI] Dependabot: add a cooldown period for new releases

Enforces security best practices by requiring a minimum age for new dependency releases before they are automatically updated by Dependabot.

This practice, known as a "cooldown period," helps mitigate supply chain attacks by allowing time for frequently published malicious packages to be identified.

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 88985cbdef1e..41b307863fc3 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -26,3 +26,5 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7