Dependabot Adds Default Three-Day Cooldown for Version Updates

Dependabot version updates introduce default package cooldown

25woodruffw💬 4
Dependabot Adds Default Three-Day Cooldown for Version Updates

We are introducing a default three-day cooldown for Dependabot version updates to help prevent supply chain attacks. This delay allows time for the community to identify compromised releases before they reach your projects. Critical security updates remain immediate, and you can easily customize or disable this setting in your configuration file to maintain full control.

"New releases are a common entry point for supply chain attacks where a compromised or broken version can reach your dependency updates before maintainers and the community have caught it."

More from this day · 2026-07-14