security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

The proposed changes attempt to introduce a 7-day delay for Dependabot updates using a cooldown property. However, this property is not supported by the GitHub Dependabot schema (v2).

Critical Blocker

Implementing this change will cause the Dependabot configuration to fail validation, effectively disabling updates for the Composer ecosystem instead of delaying them. Since the primary acceptance criterion—a 7-day delay—cannot be met via this configuration key, this PR should not be merged in its current state. You may need to explore alternative solutions such as custom GitHub Actions to filter pull requests by age.

About this PR

• The objective of delaying updates by 7 days cannot be achieved using the dependabot.yml configuration. GitHub does not currently provide a native 'cooldown' or 'delay' mechanism. Using unsupported keys will result in a configuration error.

Test suggestions

• Verify that the Dependabot configuration is valid and successfully implements a 7-day delay for updates.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that the Dependabot configuration is valid and successfully implements a 7-day delay for updates.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}