security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

The primary objective of this PR is to introduce a 7-day delay for Dependabot updates to mitigate the risk of malicious packages; however, the implementation uses a cooldown property which is not supported by the GitHub Dependabot schema.

As a result, the configuration will either be ignored or cause a validation error in the repository's Dependabot dashboard, leaving the security requirement unaddressed. Since GitHub does not natively support a 'cooldown' or 'stability' period, this PR cannot achieve its goal as currently written. This is a critical blocker that prevents the PR from meeting its acceptance criteria.

About this PR

• GitHub Dependabot does not currently support a native 'cooldown' or 'stability days' feature. Any attempt to use custom keys like cooldown or default-days will result in configuration errors. Systemic alternatives to achieve similar results (like delaying updates) are not natively available beyond adjusting the polling interval.

Test suggestions

• Validate .github/dependabot.yml against the official GitHub JSON schema.
• Verify that a NuGet package update published 3 days ago is not suggested by Dependabot.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Validate .github/dependabot.yml against the official GitHub JSON schema.
2. Verify that a NuGet package update published 3 days ago is not suggested by Dependabot.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}