← Retour au blog
tech 15 July 2026

Dependabot Version Updates: Introducing Default Package Cooldown

GitHub introduces a three-day cooldown period for version updates via Dependabot, a strategy to bolster software supply chain security.

Article inspired by the original source
Dependabot version updates introduce default package cooldown ↗ github.blog

Introduction

Security in software development has become a top priority, and rightly so. Supply chain attacks are on the rise, and each new package update represents a potential vulnerability. To counter this risk, GitHub has decided to introduce a default three-day 'cooldown' period for version updates via Dependabot.

Why a Three-Day Cooldown?

The idea behind this cooldown is simple yet effective. When a new version of a package is released, it is immediately available for updates. However, these new versions can introduce bugs or, worse, be compromised. The three-day delay allows the community and maintainers to detect and report any potential issues before the update is merged into your project.

Data on Supply Chain Attacks

In 2023, supply chain attacks increased by 42% according to a report by Sonatype. Cybercriminals are increasingly targeting new packages or version updates to introduce malicious code.

How Dependabot's Cooldown Works

Now, when Dependabot detects a new version, it waits three days before creating a pull request for the update. This requires no configuration on your part. However, GitHub offers the flexibility to modify or disable this delay via the .github/dependabot.yml file if needed.

Exceptions for Security Updates

It is important to note that security updates are not affected by this delay. Critical fixes are opened immediately to ensure vulnerabilities are addressed without delay.

Use Cases and Feedback

Consider a tech company that extensively uses open-source packages. Since the implementation of this cooldown, they have been able to avoid incorporating a package version that contained a critical bug not detected during its initial release. This delay saved them hours of troubleshooting and fixing.

Adoption Statistics

Since its introduction, more than 60% of projects using Dependabot have adopted the default cooldown, according to internal GitHub statistics. This shows rapid adoption and recognition of the usefulness of this measure.

Conclusion

Dependabot's default cooldown is a welcome initiative to enhance software supply chain security. By adding an extra layer of security, developers and decision-makers can focus on innovation while minimizing risks.

Let's discuss your project in 15 minutes.

Dependabot GitHub supply chain security package management cooldown period
Deepthix newsletter · 100% AI · every Monday 8am

An AI agent reads tech for you.

Our AI agent scans ~200 sources per week and ships the best articles to your inbox Monday 8am. Free. One click to unsubscribe.

Visit the newsletter page →

Want to automate your operations?

Let's talk about your project in 15 minutes.

Book a call