Dependabot's Three-Day Cooldown Needs an Explicit Exception Policy
GitHub announced on July 14, 2026 that Dependabot now waits until a release has been available on its registry for at least three days before opening a version-update pull request. The cooldown is the new default and requires no configuration. Primary source: GitHub Changelog, July 14, 2026.
The product question is not whether three days is universally safer. Waiting may expose a broken or compromised release before adoption, but it can also postpone a needed compatibility fix. Cooldown is a baseline, not a complete dependency policy.
Pipeline and Boundaries
Separate normal freshness from security response:
release -> cooldown -> update PR -> CI -> review -> deploy -> observe
A cooldown does not replace lockfiles, CI, provenance checks, staged deployment, or rollback. It should not silently delay an urgent security-update workflow either.
Decision Table for Exceptions
Use this decision table before creating exceptions:
| Package situation | Suggested decision | Compensating control |
|---|---|---|
| Routine dev dependency with strong CI | Keep default | Deterministic tests |
| Runtime package on a critical path | Keep or lengthen | Canary and fast rollback |
| Identified security remediation | Use the dedicated urgent path | Security owner and targeted tests |
| Isolated build-only tool | Consider shorter | Reproducible artifact checks |
| Volatile pre-1.0 package | Consider longer | Manual release review |
| Internal package released with the app | Consider exception | Exact-version integration test |
| Parser, auth, crypto, or installer | Keep default unless urgency wins | Sandbox and abuse fixtures |
Scoring Exceptions
Rate each dimension from 1 to 5:
- blast radius
- upstream release volatility
- test strength
- rollback speed
- cost of waiting
Then use two conversation scores:
wait_value = blast_radius + release_volatility
ship_confidence = test_strength + rollback_speed + cost_of_waiting
This is not a statistical risk model. It forces the team to name evidence. Keep the default when scores are close. Consider shortening only when delivery evidence clearly exceeds wait value. Route vulnerability urgency through security review instead of adjusting weights until the preferred answer wins. Make exceptions expire.
Organizational Metadata Example
policy_version: 1
reviewed_on: "2026-07-14"
default_cooldown_days: 3
exceptions:
- package_group: "internal-npm"
decision: "shorter"
reason: "Package and application release atomically"
evidence:
- "integration job: internal-release-contract"
- "rollback objective: 15 minutes"
owner: "platform"
expires_on: "2026-10-14"
This file is organizational metadata, not Dependabot configuration. Confirm current .github/dependabot.yml cooldown keys and ecosystem support against GitHub's documentation before changing production settings.
Measuring Impact
Measure release-to-PR time, PR-to-merge time, failed updates, reverts, releases superseded during cooldown, security remediation time, and backlog by criticality. A drop in failures cannot be credited to cooldown if tests or package volume changed at the same time.
The default removes the need for every repository to invent its first answer. Keep it where evidence is weak. Override it where package-specific urgency and operational controls justify the difference-and make the exception as reviewable as code.
Comments
No comments yet. Start the discussion.