github GitHub Changelog ·

Dependabot adds default cooldown for version updates

securityengineer
feature security

Dependabot now defaults to a three-day cooldown period before opening pull requests for new package versions, helping to mitigate supply chain attacks. This change is automatically enabled for all users on GitHub.com and will be available in GHES 3.23. Users can customize or disable this cooldown via their dependabot.yml configuration.

  • Dependabot defaults to a three-day package release cooldown
  • Cooldown applies to version updates, not security fixes
  • User control over cooldown settings
  • Availability in GitHub Enterprise Server
Features (1)
  • Dependabot defaults to a three-day package release cooldown

    Dependabot version updates will now wait three days after a new release is available before opening a pull request. This aims to reduce the risk of merging compromised or broken package versions by allowing time for community detection of issues.

Enhancements (1)
  • User control over cooldown settings

    Users can customize the cooldown window or opt out entirely by configuring the 'cooldown' option in their .github/dependabot.yml file. This default setting is now active for Dependabot version updates across all supported ecosystems on GitHub.com.

Notes (2)
  • Cooldown applies to version updates, not security fixes

    The default cooldown period only affects version updates. Security updates will continue to be opened immediately to ensure critical fixes are applied without delay.

  • Availability in GitHub Enterprise Server

    This new default cooldown feature will be included in GitHub Enterprise Server (GHES) version 3.23.

Read the original announcement →

https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown

Related releases