Keep the three-day default for most dependencies, preserve immediate security updates, and shorten the window only when the cost of waiting is understood.
Dependabot version updates now wait until a package release has been available in its registry for at least three days before opening a pull request. GitHub enabled the cooldown by default without requiring a configuration change.
The delay is a response to a familiar supply-chain problem: an automated update can deliver a compromised or badly broken release faster than maintainers and users can detect it. Waiting creates an observation window without turning updates off.
Security fixes are not delayed
The default applies to version updates, not Dependabot security updates. When GitHub identifies a vulnerable dependency and can prepare a security update, that pull request still opens immediately.
This distinction matters. A blanket delay would trade supply-chain caution for known-vulnerability exposure. The new default separates routine freshness from urgent remediation.
When to change the window
Teams can set another duration or opt out through the cooldown option in `.github/dependabot.yml`. A shorter window can make sense for an internal package you control or a fast-moving dependency with strong testing. A longer window can suit low-change systems where stability is more valuable than immediate features.
Do not choose the duration by instinct alone. Record how often updates fail, how quickly upstream regressions are discovered, and whether your test suite catches the failure modes that matter.
Review the automation around Dependabot
A cooldown is not a substitute for review. Confirm that CI runs on dependency pull requests, lockfiles are included, release notes are accessible, and auto-merge rules distinguish routine patches from major or security-sensitive packages. The default covers supported ecosystems on GitHub.com and is planned for GitHub Enterprise Server 3.23.
PatchMemo independently selects and evaluates the topics it covers. We clearly label sponsorships and affiliate relationships.


