Dependabot version updates now default to a 3-day package cooldown
Dependabot now waits at least three days after a new release appears on its registry before opening a version-update pull request, on by default with no configuration.
What it is
A default behavior change in GitHub's Dependabot version-update feature.
What it does
It delays automatically-opened dependency update pull requests until a new package release has been available for at least three days, instead of opening them the moment a release is published.
Why it matters
It reduces the chance of automatically pulling in a freshly-published malicious or broken package before the ecosystem has had time to flag it, an increasingly common supply-chain attack vector.
How to use it
No setup needed since it is now the default; teams that want a different cooldown window or want to disable it can configure the cooldown option in dependabot.yml.