The New Default: A Three-Day Wait

GitHub introduced a significant change to Dependabot's behavior on July 14, 2026: a mandatory three-day cooldown period before a version-update pull request is opened for a new package release. This change, announced via the GitHub Changelog, applies by default and requires no specific configuration from users. The stated intent is to allow the community time to identify and report potential issues with new releases, thereby preventing the adoption of compromised or buggy versions.

The logic is straightforward: a new release hits a registry. Dependabot observes this. Instead of immediately creating a pull request to update your project to that new version, it waits for three full days. Only after this waiting period does it open the pull request. This is followed by your standard CI checks, review process, and eventual deployment. The final step, observing the deployed version, is where the true impact of the cooldown becomes apparent.

This new default workflow can be visualized as:

release -> cooldown (3 days) -> update PR -> CI -> review -> deploy -> observe

While the intention to enhance stability is commendable, this blanket policy raises immediate questions about its suitability for all scenarios. The three-day wait, while potentially catching some problematic releases, also introduces a delay in applying necessary and potentially urgent compatibility fixes or security patches. This creates a tension between proactive risk mitigation and the need for timely software updates.

The Unanswered Question: What About Urgency?

The fundamental problem with a universal three-day cooldown is that it treats all releases identically. Software development, however, is rarely uniform. Some updates are minor bug fixes that introduce no risk. Others are critical security patches that, when delayed, leave systems vulnerable. Still others might be essential compatibility updates required to integrate with a rapidly changing external service.

Consider the scenario where a critical vulnerability is discovered in a widely used library. Normally, developers would race to update their dependencies. With the new Dependabot default, this race is immediately handicapped by a three-day delay before the update is even proposed. This delay, while intended to prevent adopting *new* bad releases, actively hinders the adoption of *fixes* for existing bad states. It's akin to a fire department being forced to wait three days before responding to a reported blaze, on the off-chance the fire might spontaneously extinguish itself or be a drill.

When Cooldown Becomes a Bottleneck

The current policy offers no mechanism for opting out of the cooldown for specific packages or for urgent situations. This means that even if a security fix is released for a high-priority dependency, Dependabot will still wait three days before creating the pull request. This delay can be critical in environments where rapid patching is essential, such as financial services, healthcare, or critical infrastructure. The risk of a zero-day exploit targeting a known, but unpatched, vulnerability now has an artificially extended window.

Furthermore, this policy can indirectly impact the review and deployment process. Teams that rely on automated dependency updates for their release cadence may find their pipelines disrupted. They might be forced to manually override Dependabot's suggestions or, worse, to bypass the cooldown by manually triggering updates, negating the intended benefits of Dependabot’s automated policy.

The current approach treats a minor version bump for a utility library with the same caution as a major version release of a core framework. This lack of granularity means that teams might miss out on performance improvements, new features, or essential bug fixes simply because they are caught in the default three-day waiting period. The policy, in its current form, prioritizes a hypothetical, but unlikely, risk of adopting a bad release over the very real and immediate risk of delaying necessary updates.

Dependabot workflow diagram showing the default three-day cooldown before a PR is opened.

The Need for Granular Control

What is needed is an explicit exception policy. Developers and security teams should have the ability to configure Dependabot's cooldown behavior on a per-repository, or even per-dependency, basis. This could take several forms:

  • Opt-out for specific packages: Allow users to mark certain critical dependencies as exempt from the cooldown period.
  • Urgency flags: Enable users to flag specific updates as urgent, bypassing the cooldown. This could be a manual flag or potentially integrated with security advisories.
  • Configurable cooldown duration: While a default is useful, allowing teams to adjust the cooldown period (e.g., to 24 hours or even zero for trusted sources) would offer much-needed flexibility.
  • Conditional cooldown: Implement logic that perhaps reduces the cooldown for patch versions or known security fixes, while maintaining it for minor and major version bumps.

Without such controls, the default three-day cooldown risks becoming a hindrance rather than a help. It forces a one-size-fits-all approach onto a problem that demands nuanced solutions. While the goal of preventing the adoption of buggy or malicious code is vital, it should not come at the cost of delaying essential security patches and compatibility fixes. The current implementation is a baseline, but it needs to be augmented with intelligent exceptions to truly serve the needs of modern software development.