security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This PR cannot be merged in its current state as it introduces an invalid configuration key, cooldown, which is not supported by the GitHub Dependabot schema. Adding unrecognized keys will cause Dependabot to fail to parse the file, potentially disabling dependency updates entirely for this repository.

While the goal of delaying updates for security reasons is valid, Dependabot does not natively support a version-age or cooldown feature. To achieve the intended 7-day delay, you would need to use a different tool like Renovate with stabilityDays or reduce the update frequency to weekly to minimize the noise of immediate releases.

About this PR

• The proposed configuration change will not achieve the desired outcome because GitHub Dependabot lacks a native feature to delay updates based on release age. Implementing this would require external workflow logic or switching to a dependency manager with built-in stability delays.

Test suggestions

• Verify that Dependabot correctly parses the configuration without schema errors.
• Confirm that updates are only proposed for versions that have been released for at least 7 days.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that Dependabot correctly parses the configuration without schema errors.
2. Confirm that updates are only proposed for versions that have been released for at least 7 days.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}