Dependabot's Three-Day Cooldown Needs an Explicit Exception Policy
GitHub announced on July 14, 2026 that Dependabot now waits until a release has been available on its registry for at least three days before opening a version-update pull request. The cooldown is the new default and requires no configuration. Primary source: GitHub Changelog, July 14, 2026 . The product question is not whether three days is universally safer. Waiting may expose a broken or compromised release before adoption, but it can also postpone a needed compatibility fix. Cooldown is a baseline, not a complete dependency policy. Separate normal freshness from security response release -> cooldown -> update PR -> CI -> review -> deploy -> observe A cooldown does not replace lockfiles, CI, provenance checks, staged deployment, or rollback. It should not silently delay an urgent security-update workflow either. Use this decision table before creating exceptions: Package situation Suggested decision Compensating control Routine dev dependency with strong CI Keep default Deterministic tests Runtime package on a critical path Keep or lengthen Canary and fast rollback Identified security remediation Use the dedicated urgent path Security owner and targeted tests Isolated build-only tool Consider shorter Reproducible artifact checks Volatile pre-1.0 package Consider longer Manual release review Internal package released with the app Consider exception Exact-version integration test Parser, auth, crypto, or installer Keep default unless urgency wins Sandbox and abuse fixtures Score the exception Rate each dimension from 1 to 5: blast radius; upstream release volatility; test strength; rollback speed; cost of waiting. Then use two conversation scores: wait_value = blast_radius + release_volatility ship_confidence = test_strength + rollback_speed + cost_of_waiting This is not a statistical risk model. It forces the team to name evidence. Keep the default when scores are close. Consider shortening only when delivery evidence clearly exceeds wait value. Route vulnerabilit