July 14, 2026

Hot patch summer hits the brakes

Dependabot version updates introduce default package cooldown

GitHub tells updates to chill for 3 days — and the comments are pure trust-crisis chaos

TLDR: GitHub’s Dependabot now waits three days before opening most update requests, hoping bad releases get spotted before people install them. Commenters are split between calling it a smart safety buffer, a depressing sign of broken trust, and a loophole waiting to be abused.

GitHub just gave its auto-update helper, Dependabot, a new default rule: wait three days before suggesting most software updates. The idea is simple enough for non-coders too: if a newly released package is secretly broken or malicious, that short pause gives the wider internet time to notice before everyone installs it. Security fixes still skip the line and show up right away, and developers can still change or turn off the delay in their settings. Sensible? Maybe. But the comment section on GitHub immediately turned into a full-blown software trust meltdown.

The loudest reaction was basically: wow, things are so bad we now need a waiting period before touching new software. One commenter summed up the mood with exhausted doom, saying it’s wild that people now have to fear installing updates at all. Others pushed for even tougher rules, arguing that hugely popular packages should face stricter safety checks before they reach the masses. Then came the suspicion brigade: if security updates are allowed through instantly, could a bad actor somehow fake an urgent fix and slip past the delay?

And yes, the jokes arrived right on cue. The winning one-liner? A deadpan rebrand of the classic “zero-day” hack into “3days.” But not everyone was laughing. Some users argued the whole system could backfire: if everyone waits, does that mean fewer early adopters will spot problems quickly? In other words, GitHub’s new safety buffer has sparked the internet’s favorite kind of debate: does this make us safer, or just slower and slightly more paranoid?

Key Points

  • Dependabot now waits at least three days after a package release before opening a version update pull request by default.
  • The default cooldown is intended to reduce exposure to compromised or broken releases in software supply chains.
  • Security updates are excluded from the delay and still open immediately.
  • Users can configure a different cooldown period or disable it in `.github/dependabot.yml`.
  • The default applies across all supported ecosystems on GitHub.com and will be included in GitHub Enterprise Server 3.23.

Hottest takes

"We don't call 'em 0days any more, now we call 'em 3days" — cadamsdotcom
"What a state of things where we have to fear installing software" — insanitybit
"could they just be able to push a false 'critical update' that bypasses this wait?" — bstsb
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.