[security] Add a cooldown period to dependabot (GH-141866)

See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns and the description in the comment.

Author: gpshead

.github/dependabot.yml

@@ -12,10 +12,17 @@ updates:
         update-types:
           - "version-update:semver-minor"
           - "version-update:semver-patch"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
   - package-ecosystem: "pip"
     directory: "/Tools/"
     schedule:
       interval: "monthly"
     labels:
       - "skip issue"
       - "skip news"
+    cooldown:
+      default-days: 14