GitHub announced on July 14, 2026 that Dependabot now waits until a release has been available on its registry for at least three days before opening a version-update pull request. The cooldown is the new default and requires no configuration.

Primary source: GitHub Changelog, July 14, 2026.

The product question is not whether three days is universally safer. Waiting may expose a broken or compromised release before adoption, but it can also postpone a needed compatibility fix. Cooldown is a baseline, not a complete dependency policy.

Separate normal freshness from security response

release -> cooldown -> update PR -> CI -> review -> deploy -> observe