From 6c4545daccbcba132d88e1eee529f5267635573c Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Sat, 22 Nov 2025 18:27:35 -0800
Subject: [PATCH 1/3] [security] Add a cooldown period to dependabot

https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
---
 .github/dependabot.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c8a3165d690364..486d8fa254ef24 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,6 +12,9 @@ updates:
         update-types:
           - "version-update:semver-minor"
           - "version-update:semver-patch"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      - default-days: "14"
   - package-ecosystem: "pip"
     directory: "/Tools/"
     schedule:
@@ -19,3 +22,5 @@ updates:
     labels:
       - "skip issue"
       - "skip news"
+    cooldown:
+      - default-days: "14"

From d99792302a4427d4e651da8834c448343cee648e Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Sun, 23 Nov 2025 02:40:19 +0000
Subject: [PATCH 2/3] old-man-yells-at-yaml

---
 .github/dependabot.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 486d8fa254ef24..fd5894cda98e80 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -14,7 +14,7 @@ updates:
           - "version-update:semver-patch"
     cooldown:
       # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
-      - default-days: "14"
+      default-days: 14
   - package-ecosystem: "pip"
     directory: "/Tools/"
     schedule:
@@ -23,4 +23,4 @@ updates:
       - "skip issue"
       - "skip news"
     cooldown:
-      - default-days: "14"
+      default-days: 14

From 4904a6ec2c5ad96afb57ef1208cc0ec0ca4e3f46 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Sun, 23 Nov 2025 02:44:13 +0000
Subject: [PATCH 3/3] add direct description to not rely on blog

---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index fd5894cda98e80..7f3376f8ddb1e2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -14,6 +14,8 @@ updates:
           - "version-update:semver-patch"
     cooldown:
       # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
       default-days: 14
   - package-ecosystem: "pip"
     directory: "/Tools/"