From 70c01dd6fc6fef591d3eee6aab3c270bb9e07d51 Mon Sep 17 00:00:00 2001
From: Tim Dittler <tim.dittler@staffbase.com>
Date: Mon, 26 Jan 2026 15:31:10 +0100
Subject: [PATCH] CI-1108: Add cooldown to Dependabot to mitigate supply-chain
 attacks

Add a 7-day cooldown period before Dependabot updates dependencies.
This helps protect against supply-chain attacks by ensuring new package
versions have time to be vetted by the community before adoption.

Co-Authored-By: opencode <noreply@opencode.ai>
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5ace460..6cc0071 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7