security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

While Codacy indicates the PR is 'up to standards', the implementation fails to meet its primary security requirement. The use of an unsupported 'cooldown' key in the Dependabot configuration means the intended 7-day delay will not be applied, and the setting will likely be ignored by GitHub. This represents a complete gap in the implementation of the defined acceptance criteria and prevents the PR from achieving its goal of mitigating supply-chain risks.

About this PR

• The proposed configuration change is functionally a no-op because GitHub's Dependabot schema does not support a native cooldown or delay property. This systemic misunderstanding of the tool's capabilities must be addressed to achieve the security goal.

Test suggestions

• Verify dependabot.yml schema validity against GitHub's official specification.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify dependabot.yml schema validity against GitHub's official specification.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}