security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This PR attempts to improve security by introducing a 7-day delay for npm updates to mitigate the risk of malicious packages. However, the implementation uses an unsupported configuration key cooldown.

Because GitHub Dependabot does not natively support a 'cooldown' or 'delay' property, this configuration will cause a schema validation error, potentially disabling Dependabot updates for this repository. To achieve the intended 7-day delay, consider alternative approaches such as changing the schedule.interval to weekly or implementing a custom GitHub Action to manage the timing of Pull Request merging.

About this PR

• The proposed implementation relies on a 'cooldown' property that is not supported by GitHub Dependabot (version 2). This will likely result in the Dependabot service ignoring the file or failing to run entirely for the npm ecosystem.

Test suggestions

• Validate dependabot.yml against GitHub's official schema to ensure the 'cooldown' property is supported.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Validate dependabot.yml against GitHub's official schema to ensure the 'cooldown' property is supported.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}