From ffd0b4c07958548844291d58e603e9b6d72f8b76 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Date: Tue, 2 Dec 2025 16:45:28 +0000
Subject: [PATCH] Add a 14-day cooldown for dependency updates (#19258)

---
 .github/dependabot.yml | 16 ++++++++++++++++
 changelog.d/19258.misc |  1 +
 2 files changed, 17 insertions(+)
 create mode 100644 changelog.d/19258.misc

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7ce353ed64..34484438c8 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,19 +5,35 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    # Prevent pulling packages that were recently updated to help mitigate
+    # supply chain attacks. 14 days was taken from the recommendation at
+    # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+    # where the author noted that 9/10 attacks would have been mitigated by a
+    # two week cooldown.
+    #
+    # The cooldown only applies to general updates; security updates will still
+    # be pulled in as soon as possible.
+    cooldown:
+      default-days: 14
 
   - package-ecosystem: "docker"
     directory: "/docker"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 14
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 14
 
   - package-ecosystem: "cargo"
     directory: "/"
     versioning-strategy: "lockfile-only"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 14
diff --git a/changelog.d/19258.misc b/changelog.d/19258.misc
new file mode 100644
index 0000000000..9155f9d20f
--- /dev/null
+++ b/changelog.d/19258.misc
@@ -0,0 +1 @@
+Require 14 days to pass before pulling in general dependency updates to help mitigate upstream supply chain attacks.
\ No newline at end of file