From 8c210ded60a5dfd199ce415061c948e2f0bc7a94 Mon Sep 17 00:00:00 2001
From: Tim Dittler <tim.dittler@staffbase.com>
Date: Mon, 26 Jan 2026 16:24:01 +0100
Subject: [PATCH] CI-1108: Add cooldown to Dependabot to mitigate supply-chain
 attacks

Add a 7-day cooldown period before Dependabot updates dependencies.
This helps protect against supply-chain attacks by ensuring new package
versions have time to be vetted by the community before adoption.

Co-Authored-By: opencode <noreply@opencode.ai>
---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a29c684..e9dd7ad 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,8 @@ updates:
       interval: "weekly"
       time: "08:00"
       timezone: "Europe/Berlin"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5
 
   - package-ecosystem: "composer"
@@ -15,6 +17,8 @@ updates:
       interval: "weekly"
       time: "08:00"
       timezone: "Europe/Berlin"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5
     groups:
       composer-prod-updates: