GitHub now includes a '3-day wait' as standard for automatic dependency updates to prevent the immediate incorporation of dangerous new versions.



GitHub has changed its 'Dependabot version updates' feature, which automatically updates dependencies, to now apply the existing functionality of not creating pull requests for updates for at least three days after a new package is published. This is intended to reduce the risk of incorporating malicious code or critical bugs in newly published packages before the issues are discovered.

Dependabot version updates introduce default package cooldown - GitHub Changelog
https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown/


Applying an updated version of a plugin that includes a backdoor can result in a backdoor being embedded in a website, or updating a development package to the latest version can lead to the theft of authentication credentials. A technique that targets external packages used for development and operation, or distribution channels, rather than the software itself, is called a 'software supply chain attack.'

In April 2026, an incident was reported in which backdoors were added to updated versions of 31 WordPress plugins whose ownership had been transferred. Shortly after the backdoors began to be exploited, WordPress.org stopped distributing the affected plugins, but users who updated before the stoppage were still at risk. If you wait a few days instead of updating immediately after release, you can check reports from other users and security researchers before determining the safety of the plugins.

31 WordPress plugins found to have backdoors, added in updates after ownership transfer - GIGAZINE



Package publishers are also taking steps to countermeasures. In May 2026, npm, a package management service for JavaScript, introduced 'staged publishing,' which places packages in a pending state and requires two-factor authentication approval by the maintainer before they can be made publicly available. This mechanism makes it more difficult to distribute malicious packages even if the public token is leaked, and aims to stop attacks at the stage when updated versions are registered.

Following repeated supply chain attacks, npm introduces 'phased releases,' adding a mechanism that prevents packages from being published with only leaked tokens - GIGAZINE



GitHub's Dependabot version updates is a feature that periodically checks your dependencies and automatically creates a pull request to review and incorporate new versions when they are found. While this reduces the effort required for updates, it also had the potential to quickly expose developers to potentially dangerous, newly released versions.

Since July 2025, GitHub has offered a 'cooldown' option that waits a certain period after an update is published before creating a pull request. Previously, this had to be specified in a configuration file for each repository, but with this change, a '3-day wait' will now be automatically applied as the default setting.

When the standard waiting period is applied, Dependabot checks if more than three days have passed since the new version was released on the distribution server called the package registry. If it's less than three days, it will skip the normal version update and create a pull request after the waiting period has passed.

The 3-day wait does not apply to security updates that fix vulnerabilities. GitHub explains that updates to address known vulnerabilities will be proposed immediately as usual, so there will be no delay in urgent fixes. You can also extend the wait period or disable the standard wait by changing the cooldown settings in '.github/dependabot.yml'.

Regarding the method of delaying dependency updates by several days, some point out that 'this system relies on the assumption that users who update immediately will become free, unintentional beta testers, and it will cease to work if everyone waits.' IT engineer Cal Patterson argues that while it can be expected to protect individual users, it is unlikely to work if all users wait simultaneously.

Is 'waiting a few days' an effective defense against supply chain attacks? - GIGAZINE



The standard three-day wait applies to all package management environments supported by Dependabot on GitHub.com, and will be introduced in GitHub Enterprise Server starting with version 3.23. GitHub states that by introducing a short wait period for Dependabot, which previously treated new dependencies as update candidates immediately after publication, it provides time for signs of potentially dangerous updates to surface.

in Web Service,   Security, Posted by log1d_ts