Dependabot version updates introduce default package cooldown
- Dependabot now waits until a new release has been available on its registry for at least three days before opening a version update pull request.
- This cooldown is now the default and requires no configuration.
- New releases are a common entry point for supply chain attacks where a compromised or broken version can reach your dependency updates before maintainers and the community have caught it.
Unverified
- Dependabot now waits until a new release has been available on its registry for at least three days before opening a version update pull request.
- This cooldown is now the default and requires no configuration.
- New releases are a common entry point for supply chain attacks where a compromised or broken version can reach your dependency updates before maintainers and the community have caught it.
Sources: Github