GitHub announced on July 14, 2026 that Dependabot now waits until a release has been available on its registry for at least three days before opening a version-update pull request. The cooldown is the new default and requires no configuration.
Primary source: GitHub Changelog, July 14, 2026.
The product question is not whether three days is universally safer. Waiting may expose a broken or compromised release before adoption, but it can also postpone a needed compatibility fix. Cooldown is a baseline, not a complete dependency policy.
Separate normal freshness from security response
release -> cooldown -> update PR -> CI -> review -> deploy -> observe











