Dependabot version updates introduce default package cooldown
2 hours ago
- #Dependabot
- #Supply Chain Security
- #Version Updates
- Dependabot now introduces a default 3-day cooldown for version updates, waiting before opening PRs.
- The cooldown aims to mitigate supply chain attacks by allowing time to detect compromised or broken releases.
- Security updates are not delayed and will still open immediately for critical fixes.
- Users can customize or opt out of the cooldown via the 'cooldown' option in their .github/dependabot.yml file.
- This default applies to all supported ecosystems on github.com and will be included in GitHub Enterprise Server 3.23.