From 9409be4ad7b4641412f3681bfa48568229aa5469 Mon Sep 17 00:00:00 2001
From: John Bampton <jbampton@users.noreply.github.com>
Date: Thu, 8 Jan 2026 00:43:09 +1000
Subject: [PATCH] [CI] Dependabot: add a cooldown period for new releases

Enforces security best practices by requiring a minimum age for new dependency releases before they are automatically updated by Dependabot.

This practice, known as a "cooldown period," helps mitigate supply chain attacks by allowing time for frequently published malicious packages to be identified.
---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5f9cb3ae60..0ad286b185 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -26,6 +26,8 @@ updates:
       github-dependencies:
         patterns:
           - '*'
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: pip
     directory: /docker
@@ -36,3 +38,5 @@ updates:
       github-dependencies:
         patterns:
           - '*'
+    cooldown:
+      default-days: 7