diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index e2d9e04..cbd320e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -23,6 +23,10 @@ updates:
       # Only allow @types/node updates that match the Node.js major version (24.x)
       - dependency-name: "@types/node"
         update-types: ["version-update:semver-major"]
+    # Mirror pnpm's minimumReleaseAge: wait before proposing freshly published versions.
+    # Dependabot does not read pnpm-workspace.yaml, so this must be configured here.
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 10
 
   # GitHub Actions
@@ -31,4 +35,6 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 518e6f1..a3f3375 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -83,6 +83,7 @@ allowBuilds:
   protobufjs: true
   ssh2: true
 
+minimumReleaseAge: 10080
 minimumReleaseAgeStrict: true
 # First-party btravstack packages — the maturity delay guards against
 # third-party supply-chain risk, which does not apply to our own org's libraries.