Add dependabot config with 7-day dependency cooldown

pcarleton · claude · pcarleton · commit de6d9f768049 · 2025-11-25T20:32:55.000Z
Configures Dependabot to wait 7 days after a package is published before creating update PRs. This helps protect against supply chain attacks by allowing time for malicious packages to be detected and removed. See: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+version: 2
+
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
