Dependabot version updates introduce default package cooldown Dependabot now waits until a new release has been available on its registry for at least three days before opening a version update pull request. This cooldown is now the default and requires no configuration. New releases are a common entry point for supply chain attacks where a compromised or broken version can reach your dependency u

