Dependabot adds default cooldown for version updates
Dependabot now defaults to a three-day cooldown period before opening pull requests for new package versions, helping to mitigate supply chain attacks. This change is automatically enabled for all users on GitHub.com and will be available in GHES 3.23. Users can customize or disable this cooldown via their dependabot.yml configuration.
- →Dependabot defaults to a three-day package release cooldown
- →Cooldown applies to version updates, not security fixes
- →User control over cooldown settings
- →Availability in GitHub Enterprise Server
Features (1) ›
- Dependabot defaults to a three-day package release cooldown
Dependabot version updates will now wait three days after a new release is available before opening a pull request. This aims to reduce the risk of merging compromised or broken package versions by allowing time for community detection of issues.
Enhancements (1) ›
- User control over cooldown settings
Users can customize the cooldown window or opt out entirely by configuring the 'cooldown' option in their .github/dependabot.yml file. This default setting is now active for Dependabot version updates across all supported ecosystems on GitHub.com.
Notes (2) ›
- Cooldown applies to version updates, not security fixes
The default cooldown period only affects version updates. Security updates will continue to be opened immediately to ensure critical fixes are applied without delay.
- Availability in GitHub Enterprise Server
This new default cooldown feature will be included in GitHub Enterprise Server (GHES) version 3.23.
https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown
Related releases
- GitHub Code Scanning adds AI security detections to PRs GitHub Changelog ·
- GitHub Agentic Autofix for Code Scanning Alerts in Public Preview GitHub Changelog ·
- GitHub Copilot app adds security reviews in public preview GitHub Changelog ·
- GitHub Code Quality license estimate in public preview GitHub Changelog ·
- GitHub Settings: Separate SSO and Organizations pages GitHub Changelog ·
- CodeQL 2.26.0 adds Kotlin support, AI prompt injection detection GitHub Changelog ·