ci(dependabot): require 7-day cooldown for dependency upgrades

[kozlek]

Mitigate supply chain attacks by waiting 7 days before adopting any new dependency release. Most compromised PyPI packages are detected and yanked within hours-to-days of publication, so a release-age delay catches the overwhelming majority of malicious releases.

Security updates bypass this delay automatically — Dependabot's cooldown option is documented as "only available for version updates, not security updates", so CVE fixes still ship without waiting.

Mirrors the equivalent change in the Mergify monorepo (which uses Renovate's minimumReleaseAge): Mergifyio/mergify#31013.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Approval

Wonderful, this rule succeeded.

• #approved-reviews-by >= 2

🟢 Continuous Integration

Wonderful, this rule succeeded.

• all of:
  • check-success = codespell
  • check-success = test (3.10)
  • check-success = test (3.11)
  • check-success = test (3.12)
  • check-success = test (3.13)
  • check-success = test (3.14)
  • check-success = test (3.8)
  • check-success = test (3.9)

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:

🟢 🔎 Reviews

Wonderful, this rule succeeded.

• #changes-requested-reviews-by = 0
• #review-requested = 0
• #review-threads-unresolved = 0

🟢 📕 PR description

Wonderful, this rule succeeded.

• body ~= (?ms:.{48,})

[Copilot]

Pull request overview

This PR aims to introduce a 7-day “cooldown” period for dependency update PRs by adding a cooldown.default-days: 7 setting to the Dependabot configuration.

Changes:

• Added a cooldown block to the pip Dependabot update config.
• Added a cooldown block to the github-actions Dependabot update config.

Comments suppressed due to low confidence (1)

.github/dependabot.yml:19

• Same issue here: cooldown/default-days is not part of the Dependabot v2 config schema and may invalidate the whole file, stopping updates. Prefer adjusting schedule.interval (e.g., weekly) and/or using groups/ignore, or enforce cooldown in a tool that supports it rather than adding unknown keys to Dependabot config.

    cooldown:
      default-days: 7

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-22 09:53 UTC · Rule: default
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-05-22 09:53 UTC · at a96fe9f7ae452de23642948feb5c98fcfdec8826 · squash

This pull request spent 25 seconds in the queue, including 4 seconds running CI.

Required conditions to merge

• all of [🛡 Merge Protections rule Approval]:
  • #approved-reviews-by >= 2
    • ci(dependabot): require 7-day cooldown for dependency upgrades #413
• all of [🛡 Merge Protections rule Continuous Integration]:
  • all of:
    • check-success = codespell
    • check-success = test (3.10)
    • check-success = test (3.11)
    • check-success = test (3.12)
    • check-success = test (3.13)
    • check-success = test (3.14)
    • check-success = test (3.8)
    • check-success = test (3.9)
• all of [🛡 Merge Protections rule Enforce conventional commit]:
  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:
    • ci(dependabot): require 7-day cooldown for dependency upgrades #413
• all of [🛡 Merge Protections rule 📕 PR description]:
  • body ~= (?ms:.{48,})
    • ci(dependabot): require 7-day cooldown for dependency upgrades #413
• all of [🛡 Merge Protections rule 🔎 Reviews]:
  • #changes-requested-reviews-by = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #413
  • #review-requested = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #413
  • #review-threads-unresolved = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #413