Merge pull request #4852 from alanorth/dependabot-cooldown

tdonohue · web-flow · commit 7c5f4d3c322e · 2025-11-24T09:06:58.000-06:00
.github/dependabot.yml: enforce dependency cooldown
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -15,6 +15,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "05:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together Angular package upgrades
@@ -101,6 +105,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "05:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together Angular package upgrades
@@ -188,6 +196,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "05:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together Angular package upgrades
@@ -274,6 +286,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "05:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together Angular package upgrades
