The cooldown feature is now generally available for Dependabot version updates! This feature gives you control over when version update pull requests are created to bump your dependencies.

What’s new

The cooldown feature allows you to configure a minimum age requirement before Dependabot creates a pull request for a newly released dependency. This is perfect for folks using version updates with:

  • Mature or stable projects that prefer conservative dependency updates.
  • High-frequency packages that frequently release updates.
  • Teams that want to avoid patch-level noise while staying current.

How it works

You can configure cooldown settings in your .github/dependabot.yml file:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    cooldown:
      - default-days: 60
      - semver-major: 30
      - semver-minor: 7
      - semver-patch: 3
      include:
        - "example"
      exclude:
        - "excluded-example"

Read more about cooldown and configuration options in our documentation.

Key benefits

  • Reduce noise from frequent dependency updates.
  • Stay responsive to critical security patches.
  • Granular control with different cooldowns per semver type.
  • Flexible scheduling that works with your existing update intervals.

Getting started

Update your .github/dependabot.yml configuration file to include the new cooldown settings. The feature is available for all supported package ecosystems.

To learn more about version updates and other advanced configuration options, visit our Dependabot documentation. To learn more and engage with the community about minimum package age configurations, join the conversation.