Hasty Briefsbeta

Bilingual

Dependabot version updates introduce default package cooldown

2 hours ago
  • #Dependabot
  • #Supply Chain Security
  • #Version Updates
  • Dependabot now introduces a default 3-day cooldown for version updates, waiting before opening PRs.
  • The cooldown aims to mitigate supply chain attacks by allowing time to detect compromised or broken releases.
  • Security updates are not delayed and will still open immediately for critical fixes.
  • Users can customize or opt out of the cooldown via the 'cooldown' option in their .github/dependabot.yml file.
  • This default applies to all supported ecosystems on github.com and will be included in GitHub Enterprise Server 3.23.