Add cooldown to Dependabot version upgrades

chris-janidlo · khk-globus · commit 5affb22fa43e · 2026-02-18T11:51:56.000-05:00
Cooldowns give package repository maintainers time to mitigate supply chain attacks before those attacks reach us. The period of 7 days was chosen based on some informal research in the blog post that motivated this change. https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,7 +5,11 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
