2026/07/14/github-dependabot-now-delays-version-update-pull
GitHub Dependabot now delays version update pull requests by three days to reduce supply chain risk
EDITOR BRIEF
GitHub says Dependabot will now wait at least three days after a new package release appears in its registry before opening a version update pull request. The default cooldown applies across supported ecosystems on github.com, while security updates still open immediately and teams can adjust or disable the delay in dependabot.yml.
INSIGHTS
The change reflects growing concern that automated dependency updates can quickly spread compromised or broken packages before the ecosystem detects them. By adding a default delay, GitHub is shifting Dependabot toward a more cautious supply chain security posture while preserving urgency for critical fixes.
COMMENTS
Discussion
> geekhaus:~$ next read?
