RC RANDOM CHAOS

Dependabot Now Waits 3 Days Before Proposing Dependency Updates

· via Hacker News

Original source

Dependabot version updates introduce default package cooldown

Hacker News →

GitHub has made a three-day cooldown the default behavior for Dependabot version updates. New releases must sit on their registry for at least 72 hours before Dependabot will open a pull request to bump a dependency, giving the wider community time to flag a compromised or broken package before it lands in your project.

The change targets one of the most reliable footholds for supply-chain attacks: freshly published malicious or defective versions that slip into automated update streams before maintainers notice. Crucially, the delay applies only to routine version bumps. Security updates still open immediately, so patches for known vulnerabilities are never held back. Teams that want a different window, or none at all, can override the behavior with the cooldown option in .github/dependabot.yml.

The default is live across all supported ecosystems on github.com and will reach self-hosted installations in GitHub Enterprise Server 3.23. It requires no configuration to take effect, meaning most repositories inherit the added safety margin automatically.

Read the full article

Continue reading at Hacker News →

This is an AI-generated summary. Read the original for the full story.