chore: Add Dependabot version-update cooldown

[ld-repository-standards]

This pull request was auto generated by the LaunchDarkly Github Standards automation platform.

• Ensure every entry under updates in .github/dependabot.yml declares a cooldown of at least 7 days (default-days).
• Add entries for detected package ecosystems that were not yet tracked by Dependabot.

Cooldown applies only to version updates; security updates bypass it, so critical CVE fixes are never delayed.

Ref: SEC-8058.

---

Note

Low Risk
CI-only configuration with no runtime or application code changes; only affects how dependency update PRs are opened.

Overview
Introduces .github/dependabot.yml to automate dependency maintenance across the monorepo.

Every updates entry uses a weekly schedule and a cooldown.default-days: 7 so version-update PRs are spaced out; security updates are unaffected by cooldown. Coverage includes github-actions at the repo root and npm for the root, apps/vscode, and each package under packages/* (box, button, components, core, drawer, dropdown, filter, focus-trap, form, icons, menu, modal, navigation, overlay, popover, portal, table, tokens, tooltip, vars).

^{Reviewed by Cursor Bugbot for commit ac8d54b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: ac8d54b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ac8d54b. Configure here.}

[cursor]

Wrong Dependabot ecosystem for pnpm

Medium Severity

Every dependency update entry uses package-ecosystem: npm, but this monorepo installs and locks dependencies with pnpm (pnpm-lock.yaml, packageManager: pnpm@11.0.1, CI runs pnpm install). Dependabot’s npm updater targets package-lock.json, so version-update PRs are unlikely to refresh the lockfile the repo actually uses.

 

^{Reviewed by Cursor Bugbot for commit ac8d54b. Configure here.}