From: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Date: Sun, 23 Nov 2025 09:34:48 +0000 (-0800)
Subject: [security] Add a cooldown period to dependabot (GH-141866)
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2746c698e33fabd2eb886b0994141b29f14f1d91;p=thirdparty%2FPython%2Fcpython.git

[security] Add a cooldown period to dependabot (GH-141866)

See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns and the description in the comment.
---

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c8a3165d6903..7f3376f8ddb1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,6 +12,11 @@ updates:
         update-types:
           - "version-update:semver-minor"
           - "version-update:semver-patch"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
   - package-ecosystem: "pip"
     directory: "/Tools/"
     schedule:
@@ -19,3 +24,5 @@ updates:
     labels:
       - "skip issue"
       - "skip news"
+    cooldown:
+      default-days: 14