Add a cooldown period to dependabot by gpshead · Pull Request #141866 · python/cpython

gpshead

Conversation

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have a monthly interval, so E[dependency updated] is a fortnight. As such I think 14 days might be overkill?

AA-Turner changed the title ~~[security] Add a cooldown period to dependabot~~ Add a cooldown period to dependabot

Nov 23, 2025

The monthly schedule is not a cooldown. A security cooldown means not auto-updating to a dep until that long after it's release.

fixed up. i'm leaving it as 14d because with our existing monthly schedule we're already not trying to get new versions fast anyways. whenever there is an actual urgent need we'll already be making our own PR, so i'm opting to move slower by default.

gpshead deleted the dependabot-cooldowns branch

November 23, 2025 09:34

StanFromIreland pushed a commit to StanFromIreland/cpython that referenced this pull request

Dec 6, 2025

ashm-dev pushed a commit to ashm-dev/cpython that referenced this pull request

Dec 8, 2025

This was referenced

Feb 28, 2026

Add a cooldown period to dependabot by gpshead · Pull Request #141866 · python/cpython

Conversation

Choose a reason for hiding this comment

Labels