[CI] Dependabot: add a cooldown period for new releases

[jbampton]

Enforces security best practices by requiring a minimum age for new dependency releases before they are automatically updated by Dependabot.

This practice, known as a "cooldown period," helps mitigate supply chain attacks by allowing time for frequently published malicious packages to be identified.

refs apache/cloudstack#12384

Following this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a GitHub issue filed
  for the change (usually before you start working on it). Trivial changes like typos do not
  require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
• Format the pull request title like [#XXX] - Fixes bug in SessionManager,
  where you replace #XXX with the appropriate GitHub issue. Best practice
  is to use the GitHub issue title in the pull request title and in the first line of the commit message.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• add fixes #XXX if merging the PR should close a related issue.
• Run mvn verify to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
• Committers: Make sure a milestone is set on the PR
• Committers: Use "Squash and Merge" to combine all commits into one when merging a PR when appropriate.

Trivial changes like typos do not require a GitHub issue (javadoc, comments...).
In this case, just format the pull request title like [DOC] - Add javadoc in SessionManager.

If this is your first contribution, you have to read the Contribution Guidelines

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004
• In any other case, please file an Apache Individual Contributor License Agreement.

[lprimak]

I am not sure that Maven Central is susceptible to these kinds of attacks.
Maven Central scans for malware and has stricter criteria for publishing (domain ownership verification).

What do others think?

[boris-petrov]

I agree that this is not strictly needed as in the NPM ecosystem. In addition to what @lprimak mentioned as reasons, note that most exploits are done via NPM's pre-build scripts which is not a thing in the Java world - so such supply-chain attacks are much more difficult.

That's what I believe at least. Will be interested to hear opinions of others too.

[lprimak]

Loos like we have a consensus that cool-down period is not necessary for Apache Shiro