Skip to content

Repo sync #39396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 19, 2025
Merged

Repo sync #39396

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 47 additions & 1 deletion ...dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@ By default, {% data variables.product.prodname_dependabot %} balances its worklo

However, to reduce distraction, or to better organize time and resources for reviewing and addressing version updates, you might find it useful to modify the frequency and timings. For example, you may prefer {% data variables.product.prodname_dependabot %} to run weekly rather than daily checks for updates, and at a time that ensures pull requests are raised before for your team's triage session.

You can use `schedule` with a combination of options to modify the frequency and timings of when {% data variables.product.prodname_dependabot %} checks for version updates
### Modifying the frequency and timings for dependency updates

You can use `schedule` with a combination of options to modify the frequency and timings of when {% data variables.product.prodname_dependabot %} checks for version updates.

The example `dependabot.yml` file below changes the npm configuration to specify that {% data variables.product.prodname_dependabot %} should check for version updates to npm dependencies every Tuesday at 02:00 Japanese Standard Time (UTC +09:00).

Expand All @@ -56,6 +58,50 @@ updates:

See also [schedule](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#schedule-).

### Setting up a cooldown period for dependency updates

You can use `cooldown` with a combination of options to control when {% data variables.product.prodname_dependabot %} creates pull requests for **version updates**.

The example `dependabot.yml` file below shows a cooldown period being applied to the dependencies `requests`, `numpy`, and those prefixed with `pandas` or `django`, but not to the dependency called `pandas` (exact match), which is excluded via the **exclude** list.

```yaml copy
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
include:
- "requests"
- "numpy"
- "pandas*"
- "django"
exclude:
- "pandas"
```

* The number of cooldown days must be between 1 and 90.
* The maximum allowed items limit in `include` and `exclude` lists, which can be used with `cooldown`, is 150 each.

> [!NOTE]
> To consider **all dependencies** for a cooldown period, you can:
> * Omit the `include` option which applies cooldown to all dependencies.
> * Use `"*"` in `include` to apply the cooldown settings to everything.
> We recommend the use of `exclude` to **only** exclude **specific dependencies** from cooldown settings.

SemVer is supported for most package managers. Updates to new versions for dependencies in cooldown are deferred as follows:

* Major updates: Delayed by 30 days (`semver-major-days: 30`).
* Minor updates: Delayed by 7 days (`semver-minor-days: 7`).
* Patch updates: Delayed by 3 days (`semver-patch-days: 3`).

See also [`cooldown`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-).

## Prioritizing meaningful updates

You can use `groups` to consolidate updates for multiple dependencies into a single pull request. This helps you focus your review time on higher risk updates, and minimize the time spent reviewing minor version updates. For example, you can combine updates for minor or patch updates for development dependencies into a single pull request, and have a dedicated group for security or version updates that impact a key area of your codebase.
Expand Down
194 changes: 69 additions & 125 deletions ...ode-security/dependabot/working-with-dependabot/dependabot-options-reference.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,75 @@ Supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`.
* Supports only the value `scope`
* When defined any prefix is followed by the type of dependencies updated in the commit: `deps` or `deps-dev`.

## `cooldown` {% octicon "versions" aria-label="Version updates" height="24" %}

> [!NOTE]
> `cooldown` is not available for the NuGet ecosystem.

Defines a **cooldown period** for dependency updates, allowing updates to be delayed for a configurable number of days.

This feature enables users to customize how often {% data variables.product.prodname_dependabot %} generates new version updates, offering greater control over update frequency. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#setting-up-a-cooldown-period-for-dependency-updates).

{% data variables.product.prodname_dependabot %} default behavior:

* Check for updates according to the scheduled defined via `schedule.interval`.
* Consider all new versions **immediately** for updates.

When **`cooldown`** is defined:

1. {% data variables.product.prodname_dependabot %} checks for updates according to the defined `schedule.interval` settings.
1. {% data variables.product.prodname_dependabot %} checks for any cooldown settings.
1. If a dependency’s new release falls within its cooldown period, {% data variables.product.prodname_dependabot %} skips updating the version for that dependency.
1. Dependencies without a cooldown period, or those past their cooldown period, are updated to the latest version as per the configured `versioning-strategy` setting.
1. After a cooldown ends for a dependency, {% data variables.product.prodname_dependabot %} resumes updating the dependency following the standard update strategy defined in `dependabot.yml`.

{% data reusables.dependabot.option-affects-security-updates %}

### **Configuration of `cooldown`**

You can specify the duration of the cooldown using the options below.

| Parameter | Description |
|-----------|-------------|
| `default-days` | **Default cooldown period for dependencies** without specific rules (optional). |
| `semver-major-days` | Cooldown period for **major version updates** (optional, applies only to package managers supporting SemVer). |
| `semver-minor-days` | Cooldown period for **minor version updates** (optional, applies only to package managers supporting SemVer). |
| `semver-patch-days` | Cooldown period for **patch version updates** (optional, applies only to package managers supporting SemVer). |
| `include` | List of dependencies to **apply cooldown** (up to **150 items**). Supports wildcards (`*`). |
| `exclude` | List of dependencies **excluded from cooldown** (up to **150 items**). Supports wildcards (`*`). |

The table below shows the package managers for which SemVer is supported.

| Package manager | SemVer supported |
|-----------------------|------------------|
| Bundler | {% octicon "check" aria-label="Supported" %} |
| Bun | {% octicon "check" aria-label="Supported" %} |
| Cargo | {% octicon "check" aria-label="Supported" %} |
| Composer | {% octicon "check" aria-label="Supported" %} |
| Devcontainers | {% octicon "x" aria-label="Not supported" %} |
| Docker | {% octicon "x" aria-label="Not supported" %} |
| Docker Compose | {% octicon "x" aria-label="Not supported" %} |
| Dotnet SDK | {% octicon "check" aria-label="Supported" %} |
| Elm | {% octicon "check" aria-label="Supported" %} |
| {% data variables.product.prodname_actions %} | {% octicon "x" aria-label="Not supported" %} |
| Gitsubmodule | {% octicon "x" aria-label="Not supported" %} |
| Gomod (Go Modules)| {% octicon "check" aria-label="Supported" %} |
| Gradle | {% octicon "check" aria-label="Supported" %} |
| Helm | {% octicon "x" aria-label="Not supported" %} |
| Hex (Hex) | {% octicon "check" aria-label="Supported" %} |
| Maven | {% octicon "check" aria-label="Supported" %} |
| NPM and Yarn | {% octicon "check" aria-label="Supported" %} |
| Pip | {% octicon "check" aria-label="Supported" %} |
| Pub | {% octicon "check" aria-label="Supported" %} |
| Swift | {% octicon "check" aria-label="Supported" %} |
| Terraform | {% octicon "x" aria-label="Not supported" %} |
| UV | {% octicon "check" aria-label="Supported" %} |

> [!NOTE]
>
> * If `semver-major-days`, `semver-minor-days`, or `semver-patch-days` are not defined, the `default-days` settings will take precedence for cooldown-based updates.
> * The `exclude` list always take precedence over the `include` list. If a dependency is specified in both lists, it is **excluded from cooldown** and will be updated immediately.

## `directories` or `directory` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}

**Required option**. Use to define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). Without this information {% data variables.product.prodname_dependabot %} cannot create pull requests for version updates. For examples, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files).
Expand Down Expand Up @@ -783,128 +852,3 @@ All sensitive data used for authentication should be stored securely and referen
The `url` parameter defines where to access a registry. When the optional `replaces-base` parameter is enabled (`true`), {% data variables.product.prodname_dependabot %} resolves dependencies using the value of `url` rather than the base URL of that specific ecosystem.

{% data reusables.dependabot.dependabot-replaces-base-nuget %}

## `cooldown` {% octicon "versions" aria-label="cooldown" height="24" %}

Defines a **cooldown period** for dependency updates to delay updates for a configurable number of days. This feature enables {% data variables.product.prodname_dependabot %} users to customize how often they receive new version updates, offering greater control over update frequency.

> [!NOTE]
> Cooldown is not applicable for security updates.
>
> Cooldown is not available for the **NuGet** ecosystem

### **How Cooldown Works**

* When {% data variables.product.prodname_dependabot %} runs updates as per defined schedule, it checks the **cooldown settings** to determine if new release for dependency is still within its cooldown period.
* If new version release date is within the cooldown period, dependency version update is **filtered out** and will not be updated until the cooldown period expires.
* Once the cooldown period ends for new version, the dependency update proceeds based on the standard update strategy defined in `dependabot.yml`.

Without **`cooldown`** (default behaviour):

* Dependabot checks for updates according to the scheduled defined via `schedule.interval`.
* All new versions are considered for updates **immediately**.

With **`cooldown`** enabled:

* {% data variables.product.prodname_dependabot %} checks for updates based on the defined `schedule.interval` settings.
* **Releases within the cooldown period are ignored.**
* {% data variables.product.prodname_dependabot %} updates the dependency to the latest available version **that are no longer in cooldown period** following the configured `versioning-strategy`.

### **Cooldown Configuration**

| Parameter | Description |
|-----------|-------------|
| `default-days` | **Default cooldown period for dependencies** without specific rules (optional). |
| `semver-major-days` | Cooldown period for **major version updates** (optional, applies only to SEMVER-supported package managers). |
| `semver-minor-days` | Cooldown period for **minor version updates** (optional, applies only to SEMVER-supported package managers). |
| `semver-patch-days` | Cooldown period for **patch version updates** (optional, applies only to SEMVER-supported package managers). |
| `include` | List of dependencies to **apply cooldown** (up to **150 items**). Supports wildcards (`*`). |
| `exclude` | List of dependencies **excluded from cooldown** (up to **150 items**). Supports wildcards (`*`). |

### **semver versioning**

| Package Manager | SEMVER Supported |
|-----------------------|------------------|
| **Bundler** | Yes |
| **Bun** | Yes |
| **Cargo** | Yes |
| **Composer** | Yes |
| **Devcontainers** | No |
| **Docker** | No |
| **Docker Compose** | No |
| **Dotnet SDK** | Yes |
| **Elm** | Yes |
| **{% data variables.product.prodname_actions %}** | No |
| **Gitsubmodule** | No |
| **Gomod (Go Modules)**| Yes |
| **Gradle** | Yes |
| **Helm** | No |
| **Hex (Hex)** | Yes |
| **Maven** | Yes |
| **NPM and Yarn** | Yes |
| **Pip** | Yes |
| **Pub** | Yes |
| **Swift** | Yes |
| **Terraform** | No |
| **UV** | Yes |

> [!NOTE]
>
> * If `semver-major-days`, `semver-minor-days`, or `semver-patch-days` are not defined, `default-days` settings take precedence for cooldown based updates.
> * `semver-major-days`, `semver-minor-days`, and `semver-patch-days` are only applicable for [supported package managers](#semver-versioning).
> * The `exclude` list always take precedence over the `include` list. If a dependency is specified in both lists, it is excluded from cooldown and will be updated immediately.

### **Cooldown settings limitations**

* `days` must be between 1 and 90.
* Maximum allowed items limit in `include` and `exclude` list is 150 each.

### **Example `dependabot.yml` with cooldown**

```yaml copy
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
include:
- "requests"
- "numpy"
- "pandas*"
- "django"
exclude:
- "pandas"
```

### **Expected Behavior**

Cooldown will be active for dependencies `requests`, `numpy` and dependencies starting with `pandas`, and `django`. Dependency with exact name `pandas` will be excluded from cooldown based updates as it is present in **exclude** list.

#### **Update days**

Updates to new versions for included dependencies will be deferred as following:

* **Major updates** → Delayed by **30 days** (`semver-major-days: 30`)
* **Minor updates** → Delayed by **7 days** (`semver-minor-days: 7`)
* **Patch updates** → Delayed by **3 days** (`semver-patch-days: 3`)

**Wildcard Matching:**

* `"pandas*"` applies cooldown to all dependencies that start with `pandas`.
* `"pandas"` in `exclude` ensures that only `"pandas"` (exact match) is excluded from cooldown.

> [!NOTE]
> To consider all dependencies for cooldown, you can:
>
> * Omit the `include` option which applies cooldown to all dependencies.
> * Use `"*"` in `include` to apply cooldown to everything.
>
> Use **only** `exclude` setting if specific dependencies are to be excluded from cooldown.

{% data reusables.dependabot.option-affects-security-updates %}
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy