From 3472f99e238c1a4421cffdb21fadd8923b33a7f8 Mon Sep 17 00:00:00 2001
From: Tim Dittler <tim.dittler@staffbase.com>
Date: Mon, 26 Jan 2026 16:23:42 +0100
Subject: [PATCH] CI-1108: Add cooldown to Dependabot to mitigate supply-chain
 attacks

Add a 7-day cooldown period before Dependabot updates dependencies.
This helps protect against supply-chain attacks by ensuring new package
versions have time to be vetted by the community before adoption.

Co-Authored-By: opencode <noreply@opencode.ai>
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7af8a4f..25e563e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,5 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7