Dependabot allows you to specify a cooldown for new dependencies, what this means is if a new dependency is less than the cooldown period, say, 7 days, then it won’t make it into your codebase.
This is an excellent way to mitigate supply chain attacks and other “whoops” moments with dependencies.
More often than not, you could cope with not getting the latest version of a dependency for a few days, but on the flip side, most issues, including supply chain attacks, get found and fixed within a handful of hours.
We can specify more information (see docs), including ignoring this rule for specific dependencies, however, I think for most needs if you used something like the below:
cooldown:
default-days: 7
We get extra safeguarding for free.