Dependabot supports configuration of a minimum package age
The cooldown feature is now generally available for Dependabot version updates! This feature gives you control over when version update pull requests are created to bump your dependencies.
What’s new
The cooldown feature allows you to configure a minimum age requirement before Dependabot creates a pull request for a newly released dependency. This is perfect for folks using version updates with:
- Mature or stable projects that prefer conservative dependency updates.
- High-frequency packages that frequently release updates.
- Teams that want to avoid patch-level noise while staying current.
How it works
You can configure cooldown settings in your .github/dependabot.yml
file. Check our documentation to see a configuration example. Editor’s note (July 3, 2025): Removed an inaccurate sample file and added a link to the documentation in its place.
Read more about cooldown and configuration options in our documentation.
Key benefits
- Reduce noise from frequent dependency updates.
- Stay responsive to critical security patches.
- Granular control with different cooldowns per
semver
type. - Flexible scheduling that works with your existing update intervals.
Getting started
Update your .github/dependabot.yml
configuration file to include the new cooldown
setting. The feature is available for all supported package ecosystems today except for NuGet; you can expect NuGet support in the coming weeks.
To learn more about version updates and other advanced configuration options, visit our Dependabot documentation. To learn more and engage with the community about minimum package age configurations, join the conversation.