security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This PR fails to achieve its primary security objective of delaying NuGet updates by 7 days. All reviewers identified that the cooldown and default-days properties used in .github/dependabot.yml are not supported by the official GitHub Dependabot configuration schema. Consequently, this configuration will either be ignored or cause a validation error, preventing the intended security delay from being applied. This is a critical blocker as it leaves the repository without the intended protection against immediate malicious package updates.

About this PR

• The proposed configuration uses keys ('cooldown', 'default-days') that do not exist in the GitHub Dependabot v2 schema. Since Dependabot does not natively support delays based on package age, this PR will not function as intended.

Test suggestions

• Validate .github/dependabot.yml against the official GitHub schema to ensure 'cooldown' is a supported property.
• Verify that Dependabot successfully parses the configuration and waits 7 days after a package release before creating a PR.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Validate .github/dependabot.yml against the official GitHub schema to ensure 'cooldown' is a supported property.
2. Verify that Dependabot successfully parses the configuration and waits 7 days after a package release before creating a PR.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}