Add 14-day cooldown to Dependabot

hugovk · pganssle · commit e3b22091aee7 · 2026-04-24T09:44:14.000-04:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,4 +7,9 @@ updates:
     groups:
       actions:
         patterns:
-          - "*"
+          - "*"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
