ci(dependabot): require 7-day cooldown for dependency upgrades

[kozlek]

Mitigate supply chain attacks by waiting 7 days before adopting any new dependency release. Most compromised packages (Shai-Hulud, ua-parser-js, eslint-config-prettier, etc.) are detected and yanked within hours-to-days of publication, so a release-age delay catches the overwhelming majority of malicious releases before they hit our lockfiles.

Security updates bypass this delay automatically — Dependabot's cooldown option is documented as "only available for version updates, not security updates", so CVE fixes still ship without waiting.

Mirrors the equivalent change in the Mergify monorepo (which uses Renovate's minimumReleaseAge): Mergifyio/mergify#31013.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Required Reviews

Wonderful, this rule succeeded.

• any of:
  • #approved-reviews-by >= 2
  • author = dependabot[bot]

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:

🟢 🔎 Reviews

Wonderful, this rule succeeded.

• #changes-requested-reviews-by = 0
• #review-requested = 0
• #review-threads-unresolved = 0

🟢 📕 PR description

Wonderful, this rule succeeded.

• body ~= (?ms:.{48,})

[Copilot]

Pull request overview

This PR aims to reduce Dependabot PR churn by enforcing a 7-day “cooldown” between dependency upgrade PRs for both npm and GitHub Actions updates.

Changes:

• Adds a cooldown: default-days: 7 stanza to the npm Dependabot update config.
• Adds the same cooldown stanza to the GitHub Actions Dependabot update config.

Comments suppressed due to low confidence (1)

.github/dependabot.yml:22

• cooldown is not a recognized key in the Dependabot v2 configuration schema, so this will cause the config to be rejected and Dependabot updates to stop. Use a supported weekly schedule to approximate a 7-day cooldown and remove cooldown.

    cooldown:
      default-days: 7

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-22 09:52 UTC · Rule: default
• ✅ Checks passed · on draft merge queue: embarking main (0fb6ce9) and #487 together #488
• ✅ Merged — 2026-05-22 09:54 UTC · at c55de08c7acf88e26e424f6a34b5205636c0de90 · squash

This pull request spent 2 minutes 32 seconds in the queue, including 1 minute 46 seconds running CI.

Required conditions to merge

• all of:
  • check-success=actionlint
  • check-success=test
• all of [🛡 Merge Protections rule Enforce conventional commit]:
  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:
    • ci(dependabot): require 7-day cooldown for dependency upgrades #487
• all of [🛡 Merge Protections rule Required Reviews]:
  • any of:
    • #approved-reviews-by >= 2
      • ci(dependabot): require 7-day cooldown for dependency upgrades #487
    • author = dependabot[bot]
      • ci(dependabot): require 7-day cooldown for dependency upgrades #487
• all of [🛡 Merge Protections rule 📕 PR description]:
  • body ~= (?ms:.{48,})
    • ci(dependabot): require 7-day cooldown for dependency upgrades #487
• all of [🛡 Merge Protections rule 🔎 Reviews]:
  • #changes-requested-reviews-by = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #487
  • #review-requested = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #487
  • #review-threads-unresolved = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #487