re-enable dependabot with 14-day cooldown

[moezein0]

Note

Merge only if this is still needed and your repo is not managed by ADMS.
If your repository is already managed by ADMS, feel free to close or ignore this PR.

---

We are adding a mandatory 14-day cooldown on dependencies to reduce the risk of zero-day vulnerabilities.

This PR re-enables your Dependabot configuration and introduces the cooldown setting. If you notice any other Dependabot configurations in your repo that are missing the cooldown, please ensure it is added.

If your repository is already managed by ADMS and no longer requires these configurations, feel free to close or ignore the PR.

[datadog-prod-us1-6]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 59.99% (+3.98%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: bb2dcf8 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.71%. Comparing base (ee1fdc0) to head (bb2dcf8).

Additional details and impacted files

see 440 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-03-25 23:09:08

Comparing candidate commit bb2dcf8 in PR branch re-enable-dependabot-cooldown with baseline commit ee1fdc0 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 216 metrics, 8 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

• 🟩 = significantly better candidate vs. baseline
• 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

[moezein0]

Closing this PR due to a script bug that caused YAML reformatting issues. Specifically, yaml.dump() was used to serialize the config after adding the cooldown block — this stripped quotes from string values, meaning time values like "09:00" became unquoted and can be coerced to a number (e.g., 32400) by Dependabot's YAML parser, potentially breaking the schedule. A corrected PR will follow shortly that only appends the cooldown block and preserves all original formatting exactly.

[darccio]

@moezein0 We took the opportunity to implement a better approach for us in #4595. If we can be spared of reenabling Dependabot, we'll go be fine with it 😁 We might re-enable it for GitHub actions. Should we apply the same cooldown?

[moezein0]

@darccio there is an ongoing conversation on whether cooldowns should truly be 14 days due to concern of vuln remediations in GovCloud. Will make another #eng-announcement based on the decision made on cooldowns. Sounds good on dependabot won't e-enable it :)

[moezein0]

@darccio wanted to update you here. Made an eng-announcement on it, the cooldown will be 48hr instead.

[darccio]

@moezein0 Thanks! We'll apply the cooldown for bumping GH actions.