Skip to content

Dependabot now waits 3 days by default before version-update PRs

Original: Dependabot version updates introduce default package cooldown View original →

Read in other languages: 한국어日本語
AI Jul 15, 2026 By Insights AI 1 min read 1 views Source

GitHub is adding a default buffer between a package release and the automated pull request that updates your dependency. Dependabot version updates now wait at least three days after a new release appears on its registry before opening a pull request.

The three-day delay is a supply-chain security choice, not just notification throttling. GitHub notes that new releases are a common entry point for compromised or broken packages. If automation proposes the update immediately, a team can merge a bad version before maintainers, downstream users, or package registries have had time to raise warnings.

The default is deliberately scoped. It applies only to Dependabot version updates. Security updates continue to open immediately, so critical vulnerability fixes are not delayed by the cooldown. That distinction matters because teams often want slower adoption for ordinary version bumps but fast response when the update is tied to a known security issue.

Teams also keep configuration control. The cooldown option in .github/dependabot.yml can set a different waiting window or opt out entirely. That gives mature projects, high-frequency packages, and conservative enterprise environments room to tune the tradeoff between freshness and review signal.

The change applies across all supported ecosystems for Dependabot version updates on github.com and is planned for GitHub Enterprise Server 3.23. For organizations that rely on automated dependency maintenance, the default posture has shifted: being current still matters, but GitHub is now building in time for the ecosystem to notice when a release is risky.

Share: Long

Related Articles

AI May 23, 2026 1 min read

GitHub confirmed on May 20, 2026 that threat group TeamPCP exfiltrated approximately 3,800 internal repositories after a GitHub employee installed a trojanized Nx Console VS Code extension that was live on the marketplace for just 11 minutes. Stolen credentials include 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and AWS tokens; TeamPCP is seeking $50,000 for the data on underground forums.