From b7bd750ade19f84210ce89be438c52b8fd0beb73 Mon Sep 17 00:00:00 2001
From: picatz <14850816+picatz@users.noreply.github.com>
Date: Mon, 18 May 2026 12:03:55 -0400
Subject: [PATCH] VLN-1386: fix missing-dependency-cooldown

---
 .github/dependabot.yml | 15 +++++++++++++++
 .npmrc                 |  3 +++
 2 files changed, 18 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..2ae0da5d
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 14
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 14
diff --git a/.npmrc b/.npmrc
index 4bfc9cd9..7d0088da 100644
--- a/.npmrc
+++ b/.npmrc
@@ -12,3 +12,6 @@ public-hoist-pattern = []
 # structure. To work around this, hoist all postcss-* packages.
 # FIXME: Can't we do something equivalent at the project-level instead?
 public-hoist-pattern[] = postcss-*
+
+# Require package versions to be at least 14 days old before install.
+minimum-release-age = 20160