security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

Although Codacy analysis indicates the PR is up to standards, the current implementation fails to meet its primary objective. The use of an unsupported cooldown key in .github/dependabot.yml will result in a configuration error in the GitHub Dependabot dashboard, potentially disabling dependency updates entirely.

There is no native GitHub Dependabot configuration to delay package updates by a specific number of days. To align with the security intent of reducing exposure to immediate package releases, you should consider changing the update frequency to weekly or investigating third-party automation tools, as the current approach is invalid.

About this PR

• The proposed 'cooldown' property is not supported by the official GitHub Dependabot v2 schema. This will prevent the configuration from being parsed correctly and fails the acceptance criteria for a 7-day delay.

Test suggestions

• Verify dependabot.yml schema validity against GitHub's official specification

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify dependabot.yml schema validity against GitHub's official specification

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}