From 401f1179402f9f2b8cf8e03668652d5b00f2b801 Mon Sep 17 00:00:00 2001
From: Tim Dittler <tim.dittler@staffbase.com>
Date: Mon, 26 Jan 2026 15:52:58 +0100
Subject: [PATCH] CI-1108: Add cooldown to Dependabot to mitigate supply-chain
 attacks

Add a 7-day cooldown period before Dependabot updates dependencies.
This helps protect against supply-chain attacks by ensuring new package
versions have time to be vetted by the community before adoption.

Co-Authored-By: opencode <noreply@opencode.ai>
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 977d00d..83fc53e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,4 +6,6 @@ updates:
       interval: "monthly"
       time: "08:00"
       timezone: "Europe/Berlin"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5