From 99ce15f5a80bed10233dd219d76499d7715de9ef Mon Sep 17 00:00:00 2001
From: Heni Nechi <hnechi-ext@kpler.com>
Date: Fri, 8 May 2026 11:15:48 +0100
Subject: [PATCH] chore(deps): add 7-day Dependabot cooldown (PTFM-18885)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mitigates supply-chain attacks where a malicious version is published,
detected, and yanked within hours/days — without cooldown, Dependabot
can open a PR for the malicious version before it's pulled.

Ref: https://kpler.atlassian.net/browse/PTFM-18885
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d202a33..d0bf4e4 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,3 +5,5 @@ updates:
     schedule:
       # Check for updates to GitHub Actions every week
       interval: "weekly"
+    cooldown: # Reduce supply chain attack risk
+      default-days: 7