security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

The implementation uses a non-existent configuration property (cooldown) in .github/dependabot.yml. GitHub Dependabot does not currently support a native 'minimum release age' or delay feature. As a result, this PR will not achieve the goal of delaying npm updates by 7 days and will likely result in a configuration error.

To achieve this security requirement, consider using a third-party tool like Renovate Bot, which supports the minimumReleaseAge property, or implementing a custom GitHub Action to manage the lifecycle of Dependabot PRs based on the package release date.

About this PR

• The attempt to delay updates via a cooldown property is fundamentally incompatible with GitHub Dependabot's current feature set. The configuration will either be ignored or cause the Dependabot service to fail for this repository.

Test suggestions

• Verify dependabot.yml syntax against the official GitHub Dependabot schema.
• Confirm that a new npm package version released less than 7 days ago does not trigger a PR.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify dependabot.yml syntax against the official GitHub Dependabot schema.
2. Confirm that a new npm package version released less than 7 days ago does not trigger a PR.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}