The cooldown setting in dependabot solves this attack vector. By setting it you give security vendors time to scan new packages.