🛠️

Use Dependabot's default cooldown before merging fresh package releases

GitHub now waits three days before opening Dependabot version-update pull requests, reducing exposure to compromised or broken package releases.

Original
Jul 14, 2026
Status & Access
Current access and latest update details.
Access
Free
Updated
Jul 14, 2026, 07:08 PM

GitHub has changed Dependabot version updates so new package releases must sit in the registry for at least three days before Dependabot opens a version-update pull request. Security updates still open immediately.

Use this as a low-friction supply-chain safety check. The default gives maintainers and the wider ecosystem time to flag compromised, yanked, or broken releases before they land in routine dependency-update PRs.

What to do

  • Leave the new default in place for most repositories.
  • Keep security updates immediate; the cooldown applies to version updates, not urgent security fixes.
  • Override the window in .github/dependabot.yml only when your release process has a clear reason.
  • Watch high-risk ecosystems or critical services for packages that should use a longer cooldown.

Best fit

Repository typeSuggested moveCaveat
Standard app reposKeep the three-day defaultReview lockfile-only bumps before merge
Security-sensitive servicesConsider a longer cooldown for non-security updatesDo not delay patched security advisories
Fast-moving librariesTune per ecosystem in dependabot.ymlDocument why the shorter window is acceptable
Discussion

Sign in to join the discussion and vote on comments.

No comments yet. Start the discussion.
Keep exploring

More from this topic

More in Tools & Apps