diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 2223f08..e5a1359 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -20,6 +20,10 @@ updates:
       # Only allow @types/node patch/minor updates (block major version bumps)
       - dependency-name: "@types/node"
         update-types: ["version-update:semver-major"]
+    # Mirror pnpm's minimumReleaseAge: wait before proposing freshly published versions.
+    # Dependabot does not read pnpm-workspace.yaml, so this must be configured here.
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 10
 
   # GitHub Actions
@@ -28,4 +32,6 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 0dd8404..807755c 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -43,6 +43,13 @@ allowBuilds:
   esbuild: true
   lefthook: true
 
+# Supply-chain maturity delay: don't adopt a freshly published version until it
+# has been on the registry for 7 days (10080 minutes). Strict mode also validates
+# the committed lockfile against this cutoff, so a same-day-published transitive
+# dep fails the check instead of slipping in silently.
+minimumReleaseAge: 10080
+minimumReleaseAgeStrict: true
+
 auditConfig:
   ignoreGhsas:
     # vite `server.fs.deny` bypass on Windows alternate paths. Reaches us only