Add cooldown to dependabot

This prevents dependabot from proposing an update soon after it is
released. This helps avoid buggy updates, and also provides adequate
time for "supply chain attacks" to be discovered and yanked.

Author: djmitche

.github/dependabot.yml

@@ -13,6 +13,11 @@ updates:
   # Enable updates for Rust packages
   - package-ecosystem: "cargo"
     directory: "/" # Location of package manifests
+    cooldown:
+      default-days: 5
+      semver-major-days: 30
+      semver-minor-days: 7
+      semver-patch-days: 3
     schedule:
       interval: "daily"
     ignore: