security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This PR attempts to introduce a 7-day delay for Dependabot updates to mitigate the risk of malicious package versions. However, it uses the invalid cooldown property, which is not supported by GitHub Dependabot. As a result, the configuration will likely fail to load or the setting will be ignored, leaving the repository without the intended security control. This configuration error is a blocker for merging as it prevents the feature from functioning and may disable Dependabot updates entirely. While Codacy's automated checks did not flag this as an issue, the manual review confirms it violates the GitHub Dependabot schema.

About this PR

• The proposed implementation relies on non-existent syntax. GitHub Dependabot does not currently provide a native 'cooldown' or 'minimum release age' feature. The security concern regarding malicious packages is valid, but to achieve a delay, you must rely on the existing weekly schedule or manually ignore specific versions.

Test suggestions

• Verify dependabot.yml schema validity against GitHub's official specification.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify dependabot.yml schema validity against GitHub's official specification.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}