Tech

GitHub enforces three-day cooldown for Dependabot updates to curb supply chain risks

The tech giant’s move to introduce a mandatory 72-hour waiting period for version updates aims to give developers time to identify compromised or broken packages before they are merged into codebases.

Author
Owen Mercer
Markets and Finance Editor
Published
Draft
Source: Hacker News · original
Tech
No image available
New default policy delays pull requests until releases age in registry

GitHub has implemented a default three-day cooldown for Dependabot version updates, a structural change designed to mitigate software supply chain attacks. Under the new protocol, the automated update service will now delay the opening of pull requests until a new release has been available on its registry for at least 72 hours.

This measure introduces a mandatory buffer period into the dependency management workflow. By enforcing a wait time before updates are proposed, the platform aims to allow signals regarding compromised or broken versions to surface. This delay reduces the likelihood that projects will automatically merge a problematic release the moment it ships, providing maintainers and the wider community with time to identify issues.

The policy applies to Dependabot version updates across all supported ecosystems on github.com. Crucially, this cooldown is now the default setting and requires no configuration from users, ensuring immediate adoption of the security measure across the platform’s standard infrastructure.

The update is also scheduled to take effect in GitHub Enterprise Server (GHES) 3.23, extending the security protocol to enterprise environments. The change addresses a known vulnerability vector where new releases serve as common entry points for attacks, often before maintainers have had the opportunity to catch errors or malicious code.

For further details on the mechanics of these cooldowns and how they interact with existing dependency workflows, GitHub has published documentation outlining the specifics of the update.

Continue reading

More from Tech

Read next: ESET discovery reveals Microsoft Secure Boot bypassed for 13 years via unrevoked shims
Read next: Trump administration bars US citizens in Congo from returning home amid Ebola outbreak
Read next: UK proposes midnight curfew for 16- and 17-year-olds on social media