{"rewrite":{"id":"r_8a79569c14cae565ee481f6f","clusterId":"c_b72ecbe790f2d10481e919b2","slug":"github-makes-3-day-wait-default-for-dependabot-version-updates","model":"deepseek-v4-flash","headline":"GitHub Makes 3-Day Wait Default for Dependabot Version Updates","summary":"GitHub has made a three-day cooldown period the default for Dependabot version updates, meaning new package versions will not be automatically proposed via pull request until at least three days after publication. The change aims to reduce the risk of supply chain attacks by giving time for malicious or buggy updates to be discovered before they are integrated. Security updates for known vulnerabilities are exempt from the wait. The setting can be overridden per repository.","whyItMatters":"The shift from opt-in to default cooldown reflects a growing industry consensus that automated dependency updates need built-in delays to counter supply chain attacks, even at the cost of slower adoption of new versions.","webCardHtml":"\u003cp\u003eThe cooldown option was introduced in July 2025 as an opt-in feature that required manual configuration in each repository\u0026#39;s dependabot.yml file. With the change, the three-day wait is now the default across all Dependabot-managed package ecosystems on GitHub.com. GitHub Enterprise Server users will get it in version 3.23. The company exempts security updates for known vulnerabilities from the wait, so critical fixes are not delayed. Users can still override the default by editing the cooldown setting in their dependabot.yml file.\u003c/p\u003e","blueskyPost":"GitHub now defaults Dependabot to a 3-day wait before auto-updating packages, giving time for supply chain attacks to be caught. Security fixes are exempt. The change applies to all Dependabot-managed ecosystems on GitHub.com.","twitterPost":"GitHub makes 3-day cooldown the default for Dependabot version updates. New packages won't be auto-proposed until 3 days after release, to slow supply chain attacks. Security updates still immediate. Overridable per repo.","threadsPost":null,"newsletterBlurb":"GitHub has turned the three-day cooldown for Dependabot version updates into a default setting, meaning new package versions will not be automatically proposed until at least three days after publication. The change is designed to give malicious or buggy updates time to be discovered before they are integrated into projects. Security patches for known vulnerabilities are exempt from the delay.","attributionJson":"[{\"source\":\"GIGAZINE\",\"url\":\"https://gigazine.net/news/20260715-github-dependabot-cooldown/\",\"title\":\"GitHubが依存関係の自動更新に標準で「3日間の待機」を導入、危険な新バージョンの即時取り込みを防止\"}]","lintFlagsJson":null,"lintHits":0,"costUsd":0,"inputTokens":5270,"outputTokens":2457,"status":"published","repairAttempts":0,"nextRepairAt":null,"factsAttemptedAt":1784140529,"createdAt":"2026-07-15T18:22:55.000Z","publishedAt":"2026-07-15T18:27:29.000Z","updatedAt":"2026-07-15T18:22:55.000Z"},"cluster":{"id":"c_b72ecbe790f2d10481e919b2","canonicalTitle":"GitHubが依存関係の自動更新に標準で「3日間の待機」を導入、危険な新バージョンの即時取り込みを防止","representativeArticleId":"a_961c2bd74ef1be8f538008cb","sourceCount":1,"writtenSourceCount":1,"writeAttempts":0,"isSolo":true,"entitiesJson":"{\"anime_titles\":[],\"manga_titles\":[],\"work_titles\":[],\"studios\":[],\"people\":[],\"type\":\"news\",\"domain\":\"other\",\"is_roundup\":false}","contentType":"news","status":"published","firstSeenAt":"2026-07-15T08:10:00.000Z","lastSeenAt":"2026-07-15T08:10:00.000Z","updatedAt":"2026-07-15T18:27:29.000Z"},"attribution":[{"source":"GIGAZINE","url":"https://gigazine.net/news/20260715-github-dependabot-cooldown/","title":"GitHubが依存関係の自動更新に標準で「3日間の待機」を導入、危険な新バージョンの即時取り込みを防止"}],"entities":{"anime_titles":[],"manga_titles":[],"work_titles":[],"studios":[],"people":[],"type":"news","domain":"other","is_roundup":false},"keyFacts":null}
