Dependabot version updates introduce default package cooldown

GitHub's Dependabot has introduced a mandatory three-day cooldown period for new package releases before it suggests updates. This measure is designed to mitigate supply chain attacks by allowing time for the community to identify and report malicious or broken code.
Back to changelog Improvement July 14, 2026 • 1 minute read Dependabot version updates introduce default package cooldown Dependabot now waits until a new release has been available on its registry for at least three days before opening a version update pull request. This cooldown is now the default and requires no configuration.
Get the full story
Sign up for Headlinne to unlock AI insights, political bias analysis, and your personalized news feed.
Create free accountAlready have an account? Sign in