GitHub gives Dependabot a 3-day default cooldown before opening version-update PRs
GitHub updated Dependabot on July 14, 2026, so that version-update pull requests are only opened after a package has been available on its registry for at least three days. The change is enabled by default across all supported ecosystems on github.com and will also apply to GitHub Enterprise Server starting with GHES 3.23. The rationale is to give the security community time to detect malicious or compromised releases before they are automatically pulled into build pipelines. Security-related updates are exempt from the cooldown and will still trigger pull requests immediately upon discovery. Developers can customize the waiting period in their dependabot.yml file, including setting it to zero to restore the previous always-fresh behavior.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in