Dependabot version updates introduce default package cooldown

woodruffw2 pts0 comments

Dependabot version updates introduce default package cooldown - GitHub Changelog

Try GitHub Copilot CLI

Attend GitHub Universe

Search

Back to changelog

Dependabot now waits until a new release has been available on its registry for at least three days before opening a version update pull request. This cooldown is now the default and requires no configuration.

New releases are a common entry point for supply chain attacks where a compromised or broken version can reach your dependency updates before maintainers and the community have caught it. A short delay gives that signal time to surface, so you are less likely to merge a bad release the moment it ships.

A few things to know:

The default applies only to version updates. Security updates still open immediately, so critical fixes are never delayed.

You stay in control. Use the cooldown option in your .github/dependabot.yml to set a different window or opt out entirely.

This default applies to Dependabot version updates across all supported ecosystems on github.com and will take effect in GitHub Enterprise Server (GHES) 3.23.

Learn more in our docs about Dependabot cooldowns.

Related Posts

Jul.08 Release

Innersource security advisories are generally available

supply chain security

Jul.08 Retired

npm install-time security and GAT bypass2fa deprecation

supply chain security

Jun.30 Release

Open source license compliance is in public preview

supply chain security

Jun.30 Improvement

Dependabot no longer infers .npmrc

supply chain security

Jun.30 Improvement

Upcoming cloud data retention policy for closed security alerts

application security<br>supply chain security

...<br>+1

Jun.26 Improvement

Read-only Actions cache for untrusted triggers

actions<br>supply chain security

...<br>+1

Jun.25 Improvement

npm adds preventive account protection for high-impact accounts

supply chain security

Jun.23 Retired

Deprecation of Python 3.9 for Dependabot

supply chain security

Jun.18 Release

Safer pull_request_target defaults for GitHub Actions checkout

actions<br>supply chain security

...<br>+1

Subscribe to our developer newsletter

Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.

Enter your email*

Subscribe

By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.

Back to top

&copy; 2026 GitHub, Inc.

Terms

Privacy

Manage Cookies

Do not share my personal information

LinkedIn icon

GitHub on LinkedIn

Instagram icon

GitHub on Instagram

YouTube icon

GitHub on YouTube

X icon

GitHub on X

TikTok icon

GitHub on TikTok

Twitch icon

GitHub on Twitch

GitHub icon

GitHub’s organization on GitHub

github security supply chain dependabot icon

Related Articles