From 1bb874d6f62a6535ecadcfb541166de91d8066d8 Mon Sep 17 00:00:00 2001
From: Ehab Younes <ehab.alyounes@gmail.com>
Date: Tue, 31 Mar 2026 11:59:31 +0300
Subject: [PATCH] chore: harden supply chain security

- Remove keytar from onlyBuiltDependencies (optional vsce dep, unused).
- Add 7-day Dependabot cooldown to both ecosystems, matching coder/coder.
---
 .github/dependabot.yml | 4 ++++
 pnpm-workspace.yaml    | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c716093f..ab1f1612 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,10 +9,14 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     ignore:
       # Pinned to engines.vscode minimum; bump manually with engine updates.
       - dependency-name: "@types/vscode"
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 2a2f7ea9..f1b8df6f 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -20,11 +20,13 @@ catalog:
 
 catalogMode: strict
 
+ignoredBuiltDependencies:
+  - keytar
+
 onlyBuiltDependencies:
   - "@vscode/vsce-sign"
   - bufferutil
   - electron
   - esbuild
-  - keytar
   - unrs-resolver
   - utf-8-validate