GitHub's Dependabot tool has introduced a mandatory three-day cooldown period before opening version update pull requests, making this safety measure the new default behavior. This change aims to prevent potential supply chain attacks by allowing time for new package versions to be vetted before they are automatically integrated into projects.
Background
Dependabot is an automated tool maintained by GitHub that helps keep dependencies up-to-date by creating pull requests when new versions are available. Supply chain security has become a critical concern in software development due to recent high-profile attacks via compromised packages.
- Source
- Simon Willison
- Published
- Jul 15, 2026 at 06:43 AM
- Score
- 6.0 / 10