Wireby Fusion42
Read this story on the live Wire →

Wire · founder news, decoded · technology

Dependabot version updates introduce default package cooldown

GitHub's Dependabot now defaults to a three-day cooldown before opening version update pull requests, reducing exposure to compromised or broken releases whilst security updates remain immediate. The change applies across all ecosystems and is configurable per project.

This Wire brief sits within Fusion42's coverage of Developer Tools and Data Infrastructure. Wire is Fusion42's founder-focused intelligence feed: each story is connected to the funds and startups it names — every one with a live profile on Raise or Scout — so founders can follow the capital and the momentum behind the headline rather than just the headline itself. Wire analysis is one of the live surfaces Arthur, Fusion42's AI co-founder, reasons over.

The Wire takeaway

If you're shipping code that depends on npm, PyPI or other registries, your dependency updates just got slower by default—but your supply chain got safer. You now have three days to spot a poisoned release before it lands in your repo, and you can tighten or loosen that window in one line of config.

Read the full story at github.blog

Topics: Developer Tools · Data Infrastructure · dependabot · supply-chain · dependency-management · security-defaults · open-source

Related on Wire

Verified 15 July 2026 · Sources: Fusion42 review