GitHub Makes 3-Day Wait Default for Dependabot Version Updates
The shift from opt-in to default cooldown reflects a growing industry consensus that automated dependency updates need built-in delays to counter supply chain attacks, even at the cost of slower adoption of new versions.
Reporting from 1 source: GIGAZINE.
GitHub has made a three-day cooldown period the default for Dependabot version updates, meaning new package versions will not be automatically proposed via pull request until at least three days after publication. The change aims to reduce the risk of supply chain attacks by giving time for malicious or buggy updates to be discovered before they are integrated. Security updates for known vulnerabilities are exempt from the wait. The setting can be overridden per repository.
The cooldown option was introduced in July 2025 as an opt-in feature that required manual configuration in each repository's dependabot.yml file. With the change, the three-day wait is now the default across all Dependabot-managed package ecosystems on GitHub.com. GitHub Enterprise Server users will get it in version 3.23. The company exempts security updates for known vulnerabilities from the wait, so critical fixes are not delayed. Users can still override the default by editing the cooldown setting in their dependabot.yml file.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.