HeadlinesBriefing favicon HeadlinesBriefing.com

Dependabot Adds Default Package Cooldown

Hacker News •
×

Dependabot version updates now include a default cooldown period of three days before opening a pull request. This new default aims to mitigate supply chain attacks by allowing time for new releases to be scrutinized by the community before potentially being merged.

New releases are a common vector for compromised or flawed versions to enter dependency updates. The brief delay helps surface any issues, reducing the likelihood of merging a problematic release immediately after it ships. This default setting applies exclusively to version updates; security updates will continue to be opened immediately to ensure critical fixes are not delayed.

Users retain control over this setting. The cooldown option can be adjusted or disabled entirely within the `.github/dependabot.yml` configuration file. This default behavior will be implemented for Dependabot version updates across all supported ecosystems on GitHub.com and will be included in GitHub Enterprise Server (GHES) 3.23.