Dependabot now includes a default three-day cooldown before opening version update pull requests. This change aims to reduce the risk of merging compromised versions immediately after their release, enhancing supply chain security for developers.
Dependabot has implemented a default cooldown period of three days for version updates. This means that once a new version is released in its registry, Dependabot will wait for three days before generating a pull request for the update.
This cooldown period is introduced to mitigate risks associated with supply chain attacks. New releases can sometimes contain vulnerabilities that may not be immediately recognized by maintainers. By delaying the update process, users have time to evaluate new versions for potential issues.
While the cooldown is set as a default, developers have the option to configure their own settings. Users can modify this behavior in their dependabot.yml file to set a different window or to opt out of the cooldown altogether.
It is important to note that this default cooldown applies only to version updates. Security updates remain unaffected and will open immediately, ensuring that critical fixes are integrated without delay.
The three-day cooldown will be applied across all supported ecosystems on GitHub and will also take effect in GitHub Enterprise Server version 3.23.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Dependabot now includes a default three-day cooldown before opening version update pull requests. This change aims to reduce the risk of merging compromised versions immediately after their release, enhancing supply chain security for developers.