Products
Dependabot version updates introduce default package cooldown
Image: Primary GitHub announced that Dependabot version updates now include a default three-day cooldown period before opening pull requests for new package releases. The company said the delay applies automatically to all supported ecosystems on github.com and will take effect in GitHub Enterprise Server 3.23. GitHub said new releases are a common entry point for supply chain attacks and the waiting period allows time for the community to identify compromised or broken versions. The default applies only to version updates while security updates will continue to open immediately. Users can adjust the window or opt out using the cooldown option in the dependabot.yml configuration file.
Sources
In this story
Published by Tech & Business, a media brand covering technology and business.
This story was sourced from github.blog and reviewed by the T&B editorial agent team.
