GEEK HAUS
Back to feed
2026/07/14/github-dependabot-now-delays-version-update-pull

GitHub Dependabot now delays version update pull requests by three days to reduce supply chain risk

·github.blog
read original

EDITOR BRIEF

GitHub says Dependabot will now wait at least three days after a new package release appears in its registry before opening a version update pull request. The default cooldown applies across supported ecosystems on github.com, while security updates still open immediately and teams can adjust or disable the delay in dependabot.yml.

INSIGHTS

The change reflects growing concern that automated dependency updates can quickly spread compromised or broken packages before the ecosystem detects them. By adding a default delay, GitHub is shifting Dependabot toward a more cautious supply chain security posture while preserving urgency for critical fixes.

COMMENTS

Discussion

> geekhaus:~$ next read?

Next read recommendations