Dependabot updates default to three-day cooldown
GitHub's Dependabot version updates now implement a default three-day cooldown period before opening pull requests for newly released packages. This security feature aims to prevent compromised or buggy releases from entering dependency trees, while security updates remain immediate and users can customize the window.
This is a highly practical default shift that prioritizes supply chain security over bleeding-edge dependency updates.
* **Proactive Security Gate:** Delaying minor and major version updates by three days provides a critical window for malicious packages or accidental bugs to be detected and retracted before they impact downstream repositories.
* **Excluding Security Patches:** Critical security updates will continue to be opened immediately to ensure active vulnerabilities are addressed without delay.
* **Granular Customization:** Organizations can still configure or bypass this cooldown window using the `cooldown` parameter in their `.github/dependabot.yml` configuration files.
DISCOVERED
2h ago
2026-07-15
PUBLISHED
5h ago
2026-07-14
RELEVANCE
AUTHOR
woodruffw