Dependabot supports configuration of a minimum package age
The cooldown feature is now generally available for Dependabot version updates! This feature gives you control over when version update pull requests are created to bump your dependencies.
What’s new
The cooldown feature allows you to configure a minimum age requirement before Dependabot creates a pull request for a newly released dependency. This is perfect for folks using version updates with:
- Mature or stable projects that prefer conservative dependency updates.
- High-frequency packages that frequently release updates.
- Teams that want to avoid patch-level noise while staying current.
How it works
You can configure cooldown settings in your .github/dependabot.yml
file:
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
cooldown:
- default-days: 60
- semver-major: 30
- semver-minor: 7
- semver-patch: 3
include:
- "example"
exclude:
- "excluded-example"
Read more about cooldown and configuration options in our documentation.
Key benefits
- Reduce noise from frequent dependency updates.
- Stay responsive to critical security patches.
- Granular control with different cooldowns per
semver
type. - Flexible scheduling that works with your existing update intervals.
Getting started
Update your .github/dependabot.yml
configuration file to include the new cooldown
settings. The feature is available for all supported package ecosystems.
To learn more about version updates and other advanced configuration options, visit our Dependabot documentation. To learn more and engage with the community about minimum package age configurations, join the conversation.