Dependabot version updates introduce default package cooldown - GitHub Changelog
Try GitHub Copilot CLI
Attend GitHub Universe
Search
Back to changelog
Dependabot now waits until a new release has been available on its registry for at least three days before opening a version update pull request. This cooldown is now the default and requires no configuration.
New releases are a common entry point for supply chain attacks where a compromised or broken version can reach your dependency updates before maintainers and the community have caught it. A short delay gives that signal time to surface, so you are less likely to merge a bad release the moment it ships.
A few things to know:
The default applies only to version updates. Security updates still open immediately, so critical fixes are never delayed.
You stay in control. Use the cooldown option in your .github/dependabot.yml to set a different window or opt out entirely.
This default applies to Dependabot version updates across all supported ecosystems on github.com and will take effect in GitHub Enterprise Server (GHES) 3.23.
Learn more in our docs about Dependabot cooldowns.
Related Posts
Jul.08 Release
Innersource security advisories are generally available
supply chain security
Jul.08 Retired
npm install-time security and GAT bypass2fa deprecation
supply chain security
Jun.30 Release
Open source license compliance is in public preview
supply chain security
Jun.30 Improvement
Dependabot no longer infers .npmrc
supply chain security
Jun.30 Improvement
Upcoming cloud data retention policy for closed security alerts
application security<br>supply chain security
...<br>+1
Jun.26 Improvement
Read-only Actions cache for untrusted triggers
actions<br>supply chain security
...<br>+1
Jun.25 Improvement
npm adds preventive account protection for high-impact accounts
supply chain security
Jun.23 Retired
Deprecation of Python 3.9 for Dependabot
supply chain security
Jun.18 Release
Safer pull_request_target defaults for GitHub Actions checkout
actions<br>supply chain security
...<br>+1
Subscribe to our developer newsletter
Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.
Enter your email*
Subscribe
By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.
Back to top
© 2026 GitHub, Inc.
Terms
Privacy
Manage Cookies
Do not share my personal information
LinkedIn icon
GitHub on LinkedIn
Instagram icon
GitHub on Instagram
YouTube icon
GitHub on YouTube
X icon
GitHub on X
TikTok icon
GitHub on TikTok
Twitch icon
GitHub on Twitch
GitHub icon
GitHub’s organization on GitHub