From cc94a9c5f44e43974e4bc155a06f97b9cc9f8075 Mon Sep 17 00:00:00 2001
From: John Bampton <jbampton@users.noreply.github.com>
Date: Thu, 8 Jan 2026 02:42:02 +1000
Subject: [PATCH] [CI] Dependabot: add a cooldown period for new releases

Enforces security best practices by requiring a minimum age for new dependency releases before they are automatically updated by Dependabot.

This practice, known as a "cooldown period," helps mitigate supply chain attacks by allowing time for frequently published malicious packages to be identified.

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-
---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 266ee4bda..d37b55d7f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -32,6 +32,8 @@ updates:
     open-pull-requests-limit: 50
     registries:
       - maven-central
+    cooldown:
+      default-days: 7
 
   # Dependencies for GitHub Actions
   - package-ecosystem: 'github-actions'
@@ -43,3 +45,5 @@ updates:
       github-dependencies:
         patterns:
           - '*'
+    cooldown:
+      default-days: 7