← All stories
● Covered by 1 source Β· 1 reportMedium impact

Dependabot introduces default three-day cooldown for version updates

Aggregated by BrevFeed dev Β· updated 15h ago
πŸ”– Save

Dependabot now includes a default three-day cooldown before opening version update pull requests. This change aims to reduce the risk of merging compromised versions immediately after their release, enhancing supply chain security for developers.

Key points

Dependabot Introduces Cooldown Period

Dependabot has implemented a default cooldown period of three days for version updates. This means that once a new version is released in its registry, Dependabot will wait for three days before generating a pull request for the update.

Rationale Behind the Change

This cooldown period is introduced to mitigate risks associated with supply chain attacks. New releases can sometimes contain vulnerabilities that may not be immediately recognized by maintainers. By delaying the update process, users have time to evaluate new versions for potential issues.

Configuration and Control

While the cooldown is set as a default, developers have the option to configure their own settings. Users can modify this behavior in their dependabot.yml file to set a different window or to opt out of the cooldown altogether.

Impact on Security Updates

It is important to note that this default cooldown applies only to version updates. Security updates remain unaffected and will open immediately, ensuring that critical fixes are integrated without delay.

Future Availability

The three-day cooldown will be applied across all supported ecosystems on GitHub and will also take effect in GitHub Enterprise Server version 3.23.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub newrelic/newrelic-browser-agent GitHub code-security/dependabot GitHub en/github

Reporting from

Dependabot now includes a default three-day cooldown before opening version update pull requests. This change aims to reduce the risk of merging compromised versions immediately after their release, enhancing supply chain security for developers.