Back to Blog
high SEVERITY9 min read

How missing Dependabot cooldown configuration happens in GitHub Actions and how to fix it

A missing `cooldown` block in `.github/dependabot.yml` meant that newly published packages — which could be malicious or unstable — were eligible for immediate update proposals. By adding a `cooldown` block with `default-days: 7` to both the GitHub Actions and Cargo package ecosystems, the project now enforces a 7-day waiting period before Dependabot proposes any update to a freshly released package version. This change significantly reduces the risk of dependency confusion attacks and supply ch

O
By Orbis AppSec
Published July 10, 2026Reviewed July 10, 2026

Answer Summary

A missing Dependabot cooldown (CWE-1104: Use of Unmaintained Third-Party Components) in `.github/dependabot.yml` allowed Dependabot to immediately propose updates to newly published packages, including potentially malicious or typosquatted versions. The fix adds a `cooldown` block with `default-days: 7` to each `package-ecosystem` entry — both `github-actions` and `cargo` — so no update is proposed until a package version has been publicly available for at least 7 days, giving the security community time to identify and report malicious releases.

Vulnerability at a Glance

cweCWE-1104 (Use of Unmaintained Third-Party Components)
fixAdd `cooldown: default-days: 7` to both `package-ecosystem` entries in `.github/dependabot.yml`
riskAutomatic merging or review of malicious/unstable newly published packages
languageYAML (GitHub Dependabot configuration)
root causeNo `cooldown` block defined for `github-actions` or `cargo` package ecosystems in `dependabot.yml`
vulnerabilityMissing Dependabot Cooldown Period

How Missing Dependabot Cooldown Configuration Happens in GitHub Actions and How to Fix It

The Vulnerability at a Glance

Field Detail
Vulnerability Missing Dependabot Cooldown Period
CWE CWE-1104 — Use of Unmaintained Third-Party Components
Language YAML (GitHub Dependabot configuration)
Risk Automatic proposal of malicious or unstable newly published packages
Root Cause No cooldown block defined for github-actions or cargo ecosystems
Fix Add cooldown: default-days: 7 to each package-ecosystem entry

Direct Answer

A missing Dependabot cooldown (CWE-1104) in .github/dependabot.yml allowed Dependabot to immediately propose updates to newly published packages — including potentially malicious or typosquatted versions. The fix adds a cooldown block with default-days: 7 to each package-ecosystem entry (both github-actions and cargo) so no update PR is opened until a package version has been publicly available for at least 7 days, giving the security community time to identify and report malicious releases.


Introduction

The .github/dependabot.yml file is the gatekeeper for automated dependency updates. It decides which package ecosystems to watch, how often to check for new versions, and — critically — how cautiously to act when a new version appears. In this project's configuration, both the github-actions and cargo ecosystems were configured to run on a daily schedule, but neither had any restriction on how new a package version could be before Dependabot proposed it as an update.

That gap — the absence of a cooldown block — meant that a package published at midnight could generate a Dependabot pull request by morning. In a world where supply chain attacks against open-source ecosystems are increasingly common, that's a meaningful attack surface.


The Vulnerability Explained

What Is a Dependabot Cooldown?

GitHub's Dependabot version updates feature supports a cooldown configuration block that tells Dependabot to wait a specified number of days after a package version is first published before proposing it as an update. Without it, Dependabot operates on a "latest is best" assumption — which is fine for stability, but dangerous for security.

The Vulnerable Configuration

Here is the relevant section of .github/dependabot.yml before the fix, starting at line 10:

# Maintain dependencies for github-actions
- package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: "daily"

# Maintain dependencies for cargo
- package-ecosystem: cargo
  directory: "/"
  schedule:
    interval: "daily"
  target-branch: "main"

Both ecosystems — github-actions and cargo — check for updates daily. Neither has any cooldown block. This means the moment a new version of any watched package is published to the registry, it becomes a candidate for a Dependabot PR.

How Could This Be Exploited?

Consider a concrete attack scenario targeting the cargo ecosystem in this project:

  1. An attacker identifies a popular crate that this project depends on — say, a utility crate with a small but active maintainer team.
  2. The attacker compromises the maintainer's crates.io credentials (via phishing, credential stuffing, or a leaked token) and publishes a new patch version, e.g., my-util = "1.2.4", containing a backdoor or credential-stealing payload.
  3. Within 24 hours, Dependabot opens a PR proposing the update from 1.2.3 to 1.2.4. The PR looks routine — a patch bump with a changelog entry.
  4. A developer reviews the PR, sees a small version bump, trusts the automated tooling, and merges it.
  5. The malicious code is now in the build, potentially exfiltrating secrets, injecting code into CI artifacts, or establishing persistence.

The same scenario applies to the github-actions ecosystem: a compromised action version could exfiltrate GITHUB_TOKEN, repository secrets, or modify build outputs.

The critical window here is the first 24–72 hours after a malicious package is published. Security researchers, automated scanning tools, and the registry's own abuse detection systems typically need days to identify and respond to a malicious release. A cooldown period of 7 days means Dependabot simply won't propose the update during the highest-risk window.

Real-World Context

This isn't theoretical. High-profile supply chain incidents — including the event-stream npm compromise, the ua-parser-js hijacking, and numerous malicious crates published to crates.io — all shared a common pattern: the malicious version was published and consumed by automated tooling within hours of appearing on the registry.


The Fix

What Changed

The fix adds a cooldown block with default-days: 7 to both package-ecosystem entries in .github/dependabot.yml. Here is the complete diff:

--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,6 +11,8 @@ updates:
   directory: "/"
   schedule:
     interval: "daily"
+  cooldown:
+    default-days: 7

 # Maintain dependencies for cargo
 - package-ecosystem: cargo
@@ -18,3 +20,5 @@ updates:
   schedule:
     interval: "daily"
   target-branch: "main"
+  cooldown:
+    default-days: 7

Before and After

Before (vulnerable — no cooldown on either ecosystem):

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"

  - package-ecosystem: cargo
    directory: "/"
    schedule:
      interval: "daily"
    target-branch: "main"

After (fixed — 7-day cooldown on both ecosystems):

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
    cooldown:
      default-days: 7

  - package-ecosystem: cargo
    directory: "/"
    schedule:
      interval: "daily"
    target-branch: "main"
    cooldown:
      default-days: 7

Why 7 Days?

Seven days is the GitHub-recommended baseline for default-days. It balances two competing concerns:

  • Security: Most malicious packages are identified and reported within 24–72 hours of publication. A 7-day window provides substantial coverage against the peak attack window.
  • Velocity: Most legitimate patch and minor version updates are stable within a week. Teams still receive timely security patches; they just aren't racing to apply them on day zero.

For higher-risk environments, default-days: 14 or even default-days: 30 may be appropriate. The cooldown block also supports per-semver-range overrides:

cooldown:
  default-days: 7
  semver-patch-days: 3   # faster for patch versions
  semver-minor-days: 7   # standard for minor versions
  semver-major-days: 14  # extra caution for major versions

Why Both Ecosystems Needed the Fix

It might be tempting to think the github-actions ecosystem is lower risk than cargo because actions run in a sandboxed CI environment. That assumption is incorrect: a compromised GitHub Action can read all repository secrets, modify build artifacts, exfiltrate source code, and abuse the GITHUB_TOKEN for repository operations. Both ecosystems represent genuine supply chain attack surfaces and both required the fix.


Prevention & Best Practices

1. Always Define a Cooldown in dependabot.yml

Every package-ecosystem entry should include a cooldown block. Treat it as a required field, not an optional one. Code review checklists and PR templates for changes to .github/dependabot.yml should verify its presence.

2. Use Static Analysis to Enforce Configuration Hygiene

The Semgrep rule package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown detects this exact pattern. Add it to your CI pipeline so that any future edits to dependabot.yml that remove the cooldown block are caught before merge.

3. Require PR Reviews for Dependabot Updates

Even with a cooldown, Dependabot PRs should require at least one human review. Enable branch protection rules that prevent auto-merge of dependency update PRs without approval.

4. Combine Cooldown with Dependency Review

GitHub's Dependency Review Action can block PRs that introduce known-vulnerable packages. Used together with a cooldown period, it creates a two-layer defense: time-based filtering plus vulnerability-database filtering.

5. Monitor Registry Advisories

Subscribe to security advisories for your key ecosystems:
- Rust/Cargo: RustSec Advisory Database
- GitHub Actions: GitHub Security Advisories

6. Regression Testing

The PR includes a Rust test that validates the security invariant programmatically:

#[test]
fn test_dependabot_config_maintains_cooldown_security_boundary() {
    // Parses dependabot.yml and asserts that every package-ecosystem
    // entry has cooldown.default-days >= 7
}

This kind of configuration-as-code testing is valuable: it turns a security property into a CI-enforced contract that can't be accidentally removed.


Key Takeaways

  • The cooldown block is not optional — omitting it from any package-ecosystem entry in dependabot.yml creates a supply chain risk window during which malicious package versions can be automatically proposed for merge.
  • Both github-actions and cargo ecosystems were affected — neither entry in this project's dependabot.yml had a cooldown, meaning both CI infrastructure and application dependencies were exposed.
  • 7 days is the recommended minimum — it covers the peak window for malicious package detection without significantly delaying legitimate security patches.
  • Daily schedule + no cooldown = maximum exposure — the interval: "daily" setting on both ecosystems amplified the risk by minimizing the time between publication and PR creation.
  • Static analysis can and should enforce this — the Semgrep rule that caught this issue can be integrated into CI to prevent regressions, making this a one-time fix rather than a recurring audit item.

How Orbis AppSec Detected This

  • Source: The .github/dependabot.yml configuration file, specifically the package-ecosystem entries at lines 10 and 18, which define which registries Dependabot monitors for new package versions.
  • Sink: The absence of a cooldown block means Dependabot's update proposal logic has no time-based gate — any newly published version immediately becomes a candidate for a PR.
  • Missing control: No cooldown: default-days value was set for either the github-actions or cargo ecosystems, removing the only built-in mechanism to filter out newly published (and potentially unvetted) package versions.
  • CWE: CWE-1104 — Use of Unmaintained Third-Party Components (extended to cover unvetted newly published components).
  • Fix: Added cooldown: default-days: 7 to both package-ecosystem entries in .github/dependabot.yml, enforcing a 7-day waiting period before any new package version is proposed as an update.

Orbis AppSec automatically detected this vulnerability and opened a pull request with the fix. Try Orbis AppSec on your repositories to find and fix issues like this automatically.


Conclusion

A two-line addition to a YAML configuration file — cooldown: and default-days: 7 — closes a meaningful gap in this project's supply chain security posture. The missing cooldown wasn't a bug in application code; it was a misconfiguration in the automated tooling that manages dependencies. That distinction matters: misconfigured security tooling can be just as dangerous as vulnerable application code, and it's often overlooked precisely because it lives in configuration files rather than source files.

The fix here is simple, but the principle it embodies is important: automated dependency updates should be cautious, not eager. Dependabot is a powerful tool for keeping dependencies current, but without a cooldown period, it can become an unwitting delivery mechanism for supply chain attacks. Adding a 7-day buffer gives the security ecosystem time to do its job before your team is asked to act.

Review your own dependabot.yml configurations today. If you don't see a cooldown block on every package-ecosystem entry, add one.


References

Frequently Asked Questions

What is a missing Dependabot cooldown vulnerability?

It occurs when a `dependabot.yml` configuration lacks a `cooldown` block, meaning Dependabot can immediately propose updates to packages published seconds or minutes ago — before the security community has had time to vet them for malicious content.

How do you prevent missing Dependabot cooldown in GitHub Actions?

Add a `cooldown` block with `default-days: 7` (or higher) to every `package-ecosystem` entry in your `.github/dependabot.yml` file. This forces Dependabot to wait at least 7 days after a package version is published before opening an update PR.

What CWE is missing Dependabot cooldown?

It maps most closely to CWE-1104 (Use of Unmaintained Third-Party Components) and relates to supply chain security risks where unvetted third-party code is automatically introduced into a project.

Is pinning dependency versions enough to prevent this vulnerability?

Pinning helps with reproducibility but does not protect against a scenario where Dependabot automatically proposes and a developer merges a newly published malicious version. A cooldown period adds an independent time-based safety layer.

Can static analysis detect missing Dependabot cooldown?

Yes. Tools like Semgrep can parse YAML configuration files and flag `package-ecosystem` entries that lack a `cooldown` block, as demonstrated by the rule `package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown` that caught this issue.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #1241

Related Articles

high

How missing Dependabot cooldown periods happen in GitHub Actions CI/CD and how to fix it

A high-severity supply chain vulnerability was discovered in `.github/dependabot.yml` where missing cooldown periods allowed Dependabot to immediately propose updates for newly published packages. This configuration flaw exposed the CI/CD pipeline to malicious or unstable package versions. The fix adds a 7-day cooldown period to both pip and GitHub Actions ecosystems, creating a safety window for the community to identify compromised packages before they enter the codebase.

high

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity configuration gap was discovered in a Node.js library's `.github/dependabot.yml` file where no cooldown period was set for dependency updates. This meant Dependabot could immediately propose updates to newly published (and potentially malicious) package versions, exposing the project and all downstream consumers to supply chain attacks. The fix adds a `cooldown` block with `default-days: 7` to both the `npm` and `github-actions` package ecosystem entries.

high

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity supply chain vulnerability was discovered in a `.github/dependabot.yml` configuration that lacked a cooldown period, meaning Dependabot could immediately propose updates to newly published (and potentially malicious) package versions. The fix adds a `cooldown` block with `default-days: 7` to enforce a 7-day waiting period before suggesting updates, giving the community time to detect and flag compromised packages.

high

How Missing Dependabot Cooldown happens in GitHub Actions and how to fix it

A high-severity supply chain vulnerability was discovered in a Dependabot configuration file that lacked cooldown periods for package updates. Without cooldown settings, Dependabot could propose updates to newly published—and potentially malicious—packages immediately after release. The fix adds a 7-day cooldown period to all three package ecosystems (npm, GitHub Actions, and Maven), giving the community time to identify compromised packages before they're automatically proposed.

high

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity supply chain vulnerability was discovered in a `.github/dependabot.yml` configuration file that lacked a cooldown period for package updates. Without a cooldown, Dependabot could immediately propose updates to newly published—and potentially malicious—package versions. The fix adds a 7-day `cooldown` block to both the npm and github-actions ecosystem entries, giving the community time to identify and flag compromised packages before they're adopted.

high

How insecure string copy functions happen in C calculations.c and how to fix it

A high-severity buffer overflow vulnerability was discovered in `src/calculations.c` at line 37, where a two-step `strncpy` + manual null-termination pattern left the door open for subtle memory safety bugs when copying string data into the `entry->type` field. The fix replaces both lines with a single `snprintf` call that handles bounds and null-termination atomically, eliminating the risk entirely. This is a common C pitfall that affects production CLI tools and can be exploited when attacker-