2 min read

Dependabot now waits 3 days before version PRs

GitHub has made a three-day cooldown the default for Dependabot version updates to reduce supply chain risk from newly published packages.

Image: Hacker News

GitHub has changed Dependabot so it now waits at least three days after a new release appears in a registry before opening a version update pull request. The new package cooldown is now the default and does not require any configuration.

The idea is straightforward: newly published releases are a common path for software supply chain attacks, especially when a compromised or broken package version reaches dependency bots before maintainers and the wider community spot problems. By adding a short delay, GitHub says teams are less likely to merge a bad release as soon as it ships.

A few limits matter. The default cooldown applies only to version updates. Security updates will still open immediately, so urgent fixes are not held back.

Developers can still change the behavior in .github/dependabot.yml. GitHub says you can set a different cooldown window or opt out entirely using the cooldown option.

Recommended reading

Telegram’s t.me links return after sanctions hiccup

The default applies to Dependabot version updates across all supported ecosystems on github.com. GitHub also says it will arrive in GitHub Enterprise Server 3.23.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Hacker News

// Keep reading