add direct description to not rely on blog

Author: gpshead

.github/dependabot.yml

@@ -14,6 +14,8 @@ updates:
           - "version-update:semver-patch"
     cooldown:
       # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
       default-days: 14
   - package-ecosystem: "pip"
     directory: "/Tools/"