Added a cooldown to dep bot updates

[sureshjoshi]

Dep bot runs every "schedule interval" days, but dependencies need to be older than "cooldown"

https://github.blog/changelog/2025-07-01-dependabot-supports-configuration-of-a-minimum-package-age/

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-

[cburroughs]

7 seems like a reasonable lucky number to try.

Were you motivated by security or "noise"?

[sureshjoshi]

7 seems like a reasonable lucky number to try.

Were you motivated by security or "noise"?

7 is the default, just surfacing it. In watching all the hell that goes down in the JS supply-chain world, most of these sorts of issues are captured within the first few hours to maybe a day or two - or basically "never". I've been using this since it came out in PNPM.

Definitely motivated by security. I'm still working through my local dev machine security to mitigate issues, but stuff like this is better for the community - especially as cargo, left unchecked, basically just yolos updates.

Apparently this option has been here for a while, but I either didn't grok what it did, or didn't clue in that it existed. Had my brain been working, it would have been on at the start.

I was reviewing some Rust updates, and saw a commit in one of our deps that added it, which referenced zizmor - who has a rule for it. So just 100% oversight on my part.