From f25d51e772d9c1f1fa4f3caa8a7bd9fff7872a88 Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Mon, 2 Feb 2026 14:41:30 +1100
Subject: [PATCH] Add 7 day cooldown to Dependabot updates

This should make us less vulnerable to supply chain attacks:

- https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f43dca1226..1b2572a9cc 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -31,6 +31,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
 
     # Only specific requirements are specified in Gemfile, so don't touch it.
     versioning-strategy: lockfile-only
@@ -39,6 +41,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
 
     # Only specific requirements are specified in package.json, so don't touch it.
     versioning-strategy: lockfile-only