diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..2ae0da5d
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 14
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 14
diff --git a/.npmrc b/.npmrc
index 4bfc9cd9..7d0088da 100644
--- a/.npmrc
+++ b/.npmrc
@@ -12,3 +12,6 @@ public-hoist-pattern = []
 # structure. To work around this, hoist all postcss-* packages.
 # FIXME: Can't we do something equivalent at the project-level instead?
 public-hoist-pattern[] = postcss-*
+
+# Require package versions to be at least 14 days old before install.
+minimum-release-age = 20160