GitHub Adds 3-Day Cooldown to Dependabot Before Opening Update Pull Requests
GitHub announced on July 14, 2026 that Dependabot will now wait at least three days after a package release is published before automatically opening a version-update pull request. The cooldown is enabled by default and requires no manual configuration across repositories. The delay is intended to allow time for broken or compromised releases to be identified before adoption, though it may also postpone urgent compatibility or security fixes. Experts note the cooldown is a baseline measure and does not replace lockfiles, CI pipelines, provenance checks, or rollback strategies. Teams are advised to document exceptions with clear evidence and treat any overrides as reviewable policy rather than ad hoc configuration changes.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in