From bb9b20664a1ac8d81a0129c849a53b186632b747 Mon Sep 17 00:00:00 2001 From: Chris Sinjakli Date: Thu, 9 Apr 2026 11:29:52 +0100 Subject: [PATCH] Add a 14 day dependency cooldown to the Dependabot config As a mitigation against supply-chain attacks, we're adopting a 14 day cooldown on dependency updates. This covers a lot of the supply chain attacks via compromised dependencies that have been seen in the wild so far, where the compromised version is only available for less than a day. This isn't perfect, or the whole story, but it's a good next step for us to take. --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 14030fd..5fcd90f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,5 @@ updates: directory: "/" # Location of package manifests schedule: interval: "daily" + cooldown: + default-days: 14