Dependabot version updates introduce default package cooldown
woodruffw
145 points
85 comments
July 14, 2026
Related Discussions
Found 5 related stories in 497.0ms across 14,015 title embeddings via pgvector HNSW
- Dependency cooldowns turn you into a free-rider pabs3 · 58 pts · April 15, 2026 · 55% similar
- Package Managers Need to Cool Down abdelhousni · 15 pts · March 25, 2026 · 54% similar
- Maybe you shouldn't install new software for a bit psxuaw · 348 pts · May 07, 2026 · 46% similar
- 'No way to prevent this,' says only package manager where this regularly happens alligatorplum · 286 pts · May 16, 2026 · 45% similar
- You Should Not Update Your Dependencies OlivierCG · 25 pts · May 27, 2026 · 45% similar
Discussion Highlights (9 comments)
insanitybit
What a state of things where we have to fear installing software, and rely on vendors to scan things ahead of time, because our supply chain is such a mess and our tooling is so incapable of (and uninterested in) protecting us.
ashu1461
This makes me think whether npm (and other registries) should apply security requirements based on ecosystem impact. Example a package having millions of downloads can have special security measures enforced.
bstsb
> The default applies only to version updates. Security updates still open immediately, so critical fixes are never delayed. does this require a real vulnerability report, or CVE? if the package is compromised would they just be able to push a false "critical update" that bypasses this wait?
cadamsdotcom
"We don't call 'em 0days any more, now we call 'em 3days"
zihotki
If everyone starts applying cooldowns, won't it postpone the problem? So now there is a considerable amount of users who are affected and someone from the affected group discovers the infection and reports it. But if everyone will be delaying updates, won't be there less chances to catch it in time? I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.
Waterluvian
I really hate dependabot making generic security people at work so pushy about updates updates updates. They seem to just be dogmatic about whatever dependabot says, forcing churn even when the documented issues are clearly not relevant. I’m not sure how to handle it politically. I’m convinced that updating so much more often is worse, not better.
noosphr
Watching language package managers reinvent everything distribution package managers have been doing since the 90s has been as fun as watching crypto people reinvent financial regulation.
mook
But updates to broken packages are still allowed: if a new version is pushed within the three days, it does not reset the cool-down. You just get a pull request to update to a known-bad version instead.
Grokify
This seems to be primarily an issue with a few specific package management solutions that have suffered SCA vulnerabilities recently, not generaly across the board.