From 641222d9f6e167cc9d69f3db889d1fd6ff8449d8 Mon Sep 17 00:00:00 2001
From: Tim Dittler <tim.dittler@staffbase.com>
Date: Mon, 26 Jan 2026 16:23:51 +0100
Subject: [PATCH] CI-1108: Add cooldown to Dependabot to mitigate supply-chain
 attacks

Add a 7-day cooldown period before Dependabot updates dependencies.
This helps protect against supply-chain attacks by ensuring new package
versions have time to be vetted by the community before adoption.

Co-Authored-By: opencode <noreply@opencode.ai>
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c9bfd79..02d11b7 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,6 +10,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     labels:
       - "dependencies"
     registries: