[security] Add a cooldown period to dependabot (GH-141866)

See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns and the description in the comment.

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c8a3165d69036458709f0e492dacdff5598a83d6..7f3376f8ddb1e25e67a79641cfbdfe969f9a6f77 100644 (file)
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,6 +12,11 @@ updates:
         update-types:
           - "version-update:semver-minor"
           - "version-update:semver-patch"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
   - package-ecosystem: "pip"
     directory: "/Tools/"
     schedule:
@@ -19,3 +24,5 @@ updates:
     labels:
       - "skip issue"
       - "skip news"
+    cooldown:
+      default-days: 14