Topic

#dependency-management

Loot, blog posts and adjacent themes connected to this topic. Follow the tag to keep it in your orbit.

#dependency-management
Loot

More from this topic

Explore all loot

Use Dependabot's default cooldown before merging fresh package releases

0
#github#dependabot#supply-chain-security#developer-tools#dependency-management
GitHub now waits three days before opening Dependabot version-update pull requests, reducing exposure to compromised or broken package releases. GitHub has changed Dependabot version updates so new package releases must sit in the registry for at least three days before Dependabot opens a version-update pull request. Security updates still open immediately. Use this as a low-friction supply-chain safety check. The default gives maintainers and the wider ecosystem time to flag compromised, yanked, or broken releases before they land in routine dependency-update PRs. What to do Leave the new default in place for most repositories. Keep security updates immediate; the cooldown applies to version updates, not urgent security fixes. Override the window in .github/dependabot.yml only when your release process has a clear reason. Watch high-risk ecosystems or critical services for packages that should use a longer cooldown. Best fit Repository type Suggested move Caveat --- --- --- Standard app repos Keep the three-day default Review lockfile-only bumps before merge Security-sensitive services Consider a longer cooldown for non-security updates Do not delay patched security advisories Fast-moving libraries Tune per ecosystem in dependabot.yml Document why the shorter window is acceptable
View
Free
Open
Blog

Related reads

Browse blog
No blog posts for #dependency-management yet

There is no published article with this tag right now. Browse the blog for adjacent themes or follow the tag for future updates.