From 9710be59b5e46d2202df95e905c557986b213ad8 Mon Sep 17 00:00:00 2001
From: John Bampton <jbampton@users.noreply.github.com>
Date: Thu, 8 Jan 2026 02:41:49 +1000
Subject: [PATCH] [CI] Dependabot: add a cooldown period for new releases

Enforces security best practices by requiring a minimum age for new dependency releases before they are automatically updated by Dependabot.

This practice, known as a "cooldown period," helps mitigate supply chain attacks by allowing time for frequently published malicious packages to be identified.
---
 .github/dependabot.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6c20ea5888..d0a24e4de1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -23,6 +23,8 @@ updates:
     schedule:
       interval: 'weekly'
     open-pull-requests-limit: 50
+    cooldown:
+      default-days: 7
     ignore:
       - dependency-name: "jakarta.platform:*"
         update-types: [ "version-update:semver-major" ]
@@ -73,6 +75,8 @@ updates:
     schedule:
       interval: 'monthly'
     open-pull-requests-limit: 50
+    cooldown:
+      default-days: 7
     ignore:
       - dependency-name: "jakarta.servlet.*:*"
         update-types: [ "version-update:semver-major" ]
@@ -112,6 +116,8 @@ updates:
     schedule:
       interval: 'weekly'
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
     groups:
       github-dependencies:
         patterns:
@@ -124,6 +130,8 @@ updates:
     schedule:
       interval: 'monthly'
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
     groups:
       github-dependencies:
         patterns: