Back to Blog
high SEVERITY6 min read

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity supply chain vulnerability was discovered in a `.github/dependabot.yml` configuration file that lacked a cooldown period for package updates. Without a cooldown, Dependabot could immediately propose updates to newly published—and potentially malicious—package versions. The fix adds a 7-day `cooldown` block to both the npm and github-actions ecosystem entries, giving the community time to identify and flag compromised packages before they're adopted.

O
By Orbis AppSec
Published July 4, 2026Reviewed July 4, 2026

Answer Summary

A missing Dependabot cooldown (CWE-1104) in `.github/dependabot.yml` allows automated dependency updates to propose newly published package versions immediately—before the community can identify malicious or unstable releases. The fix is adding a `cooldown` block with `default-days: 7` to each `package-ecosystem` entry in the Dependabot configuration, ensuring a 7-day waiting period before new versions are proposed as updates.

Vulnerability at a Glance

cweCWE-1104 (Use of Unmaintained Third Party Components)
fixAdded `cooldown: default-days: 7` to each package-ecosystem entry
riskImmediate adoption of newly published malicious or unstable packages
languageYAML (GitHub Actions / Dependabot configuration)
root causeNo `cooldown` block configured in dependabot.yml ecosystem entries
vulnerabilityDependabot missing cooldown period (supply chain risk)

How Missing Dependabot Cooldown Happens in GitHub Actions CI/CD and How to Fix It

Introduction

In a containerized service repository, we discovered a high-severity supply chain vulnerability at line 3 of .github/dependabot.yml. The configuration defined two package ecosystem entries—npm and github-actions—both with weekly update schedules but no cooldown period. This meant Dependabot would immediately propose updates to any newly published package version, regardless of how recently it was released.

This is particularly dangerous because supply chain attacks frequently exploit the window between when a malicious package is published and when it's discovered and removed. Without a cooldown, your automated tooling becomes the attacker's delivery mechanism.

Here's the vulnerable configuration:

version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

Notice the complete absence of any cooldown block in either ecosystem entry. Both npm packages and GitHub Actions are proposed for update the moment a new version appears on the registry.

The Vulnerability Explained

What's Actually Happening

Dependabot's cooldown feature was introduced specifically to address supply chain timing attacks. When a package is newly published to npm or a GitHub Action is updated, there's an inherent risk period. Malicious actors frequently:

  1. Typosquat popular packages and publish malicious versions
  2. Compromise maintainer accounts and push backdoored releases
  3. Publish dependency confusion packages targeting internal package names

Without a cooldown, Dependabot will create a pull request proposing the update within its next scheduled run (in this case, weekly). If a developer merges that PR without careful review—especially in a fast-moving CI/CD pipeline—the malicious code enters production.

A Concrete Attack Scenario

Consider this timeline for the vulnerable configuration:

  1. Monday 2:00 AM: Attacker publishes a compromised version of a dependency used in this project's package.json
  2. Monday 3:00 AM: Dependabot's weekly scan runs, detects the "update," and opens a PR
  3. Monday 9:00 AM: A developer sees the Dependabot PR, CI passes (the malicious payload is designed to evade tests), and merges it
  4. Monday 9:05 AM: The containerized service deploys with the compromised dependency
  5. Tuesday: The npm security team identifies and removes the malicious package—but the damage is done

With a 7-day cooldown, Dependabot would not have proposed this update until the following Monday, by which time the malicious package would have been flagged and removed from the registry.

Why Both Ecosystems Matter

The github-actions ecosystem is equally vulnerable. Compromised GitHub Actions can:
- Exfiltrate secrets and tokens from CI/CD environments
- Inject malicious code into build artifacts
- Modify deployment pipelines to include backdoors

Since this is a containerized service, a compromised build step could inject malware directly into the container image.

The Fix

The fix adds a cooldown block with default-days: 7 to both package ecosystem entries in .github/dependabot.yml:

Before:

version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

After:

version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly
    cooldown:
      default-days: 7
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    cooldown:
      default-days: 7

How This Solves the Problem

The cooldown configuration tells Dependabot: "Do not propose an update to any package version that was published less than 7 days ago." This creates a critical buffer period where:

  1. Community detection: Security researchers, automated scanners, and the broader community have time to identify malicious packages
  2. Registry response: npm and GitHub have time to remove compromised packages
  3. Stability verification: Unstable releases that introduce breaking changes are often yanked or patched within days

The 7-day default is significant—research shows that the vast majority of malicious packages are identified and removed within 72 hours of publication, making a 7-day window extremely effective at filtering out supply chain attacks.

Why Both Entries Need the Fix

Each package-ecosystem entry operates independently. Adding cooldown only to the npm entry would leave github-actions unprotected. Since GitHub Actions have direct access to repository secrets, CI/CD credentials, and deployment pipelines, they represent an equally critical attack surface.

Prevention & Best Practices

1. Always Configure Cooldown Periods

Every dependabot.yml should include cooldown periods. For high-security environments, consider extending beyond 7 days:

cooldown:
  default-days: 14

2. Combine with Version Pinning

For GitHub Actions specifically, pin to exact commit SHAs rather than version tags:

# Vulnerable to tag manipulation
- uses: actions/checkout@v4

# Pinned to immutable commit SHA
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

3. Enable Dependabot Security Advisories

Cooldown works alongside Dependabot's security advisory integration. Known-vulnerable versions are still flagged immediately, while the cooldown only applies to routine version bumps.

4. Use Dependency Review Actions

Add actions/dependency-review-action to your CI pipeline to block PRs that introduce known-vulnerable dependencies, even if they pass the cooldown period.

5. Implement SLSA Framework

For containerized services, adopt Supply-chain Levels for Software Artifacts (SLSA) to verify the provenance of all dependencies.

Key Takeaways

  • A missing cooldown block in dependabot.yml turns your automated dependency management into a supply chain attack vector — Dependabot proposes malicious packages before the community can flag them
  • Both npm and github-actions ecosystems in this configuration were vulnerable — each ecosystem entry needs its own cooldown block; they don't inherit from each other
  • 7 days is the minimum effective cooldown — most malicious packages are identified within 72 hours, so 7 days provides substantial margin
  • Containerized services amplify the risk — a compromised dependency in a container build can persist in production images even after the malicious source package is removed
  • This is a configuration-only fix with zero performance impact — adding cooldown: default-days: 7 has no downside other than slightly delayed non-critical updates

How Orbis AppSec Detected This

  • Source: Newly published package versions on npm registry and GitHub Actions marketplace
  • Sink: Dependabot's automated PR creation in .github/dependabot.yml ecosystem entries at lines 3-6 and 7-10
  • Missing control: No cooldown block configured to delay adoption of newly published versions
  • CWE: CWE-1104 (Use of Unmaintained Third Party Components)
  • Fix: Added cooldown: default-days: 7 to both the npm and github-actions package ecosystem entries in dependabot.yml

Orbis AppSec automatically detected this vulnerability and opened a pull request with the fix. Try Orbis AppSec on your repositories to find and fix issues like this automatically.

Conclusion

Supply chain security isn't just about scanning your code—it's about how you adopt new dependencies. A missing cooldown period in Dependabot configuration is a subtle but high-impact vulnerability that turns your automation against you. By adding a simple 7-day cooldown to each ecosystem entry in .github/dependabot.yml, you create a critical buffer that prevents your CI/CD pipeline from being the first adopter of potentially malicious package versions.

The fix is trivial—four lines of YAML per ecosystem entry—but the protection it provides against supply chain attacks like those seen in the event-stream, ua-parser-js, and colors.js incidents is substantial. Every repository using Dependabot should audit its configuration for this setting today.

References

Frequently Asked Questions

What is a Dependabot missing cooldown vulnerability?

It's a supply chain security misconfiguration where Dependabot proposes package updates immediately after publication, without waiting for community vetting, potentially introducing malicious or unstable code.

How do you prevent Dependabot missing cooldown in GitHub repositories?

Add a `cooldown` block with `default-days: 7` (or more) to every `package-ecosystem` entry in your `.github/dependabot.yml` file.

What CWE is Dependabot missing cooldown?

CWE-1104 (Use of Unmaintained Third Party Components) is the closest match, as it relates to insufficient vetting of third-party dependencies before adoption.

Is simply having Dependabot enabled enough to prevent supply chain attacks?

No. Without a cooldown period, Dependabot can actually accelerate supply chain attacks by immediately proposing updates to freshly published malicious packages.

Can static analysis detect Dependabot missing cooldown?

Yes. Tools like Semgrep can scan `.github/dependabot.yml` files for missing cooldown configurations using rules like `package_managers.dependabot.dependabot-missing-cooldown`.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #1789

Related Articles

high

How unsafe package download verification happens in shell scripts and how to fix it

A critical vulnerability in the DragonFly installation script allowed attackers to inject malicious packages by downloading and installing software without verifying integrity checksums. The fix adds SHA256 verification before installation, ensuring only legitimate packages are executed with elevated privileges.

high

How a named pipe I/O race condition happens in Rust mio and how to fix it

CVE-2024-27308 is a high-severity vulnerability in the Rust `mio` crate (versions prior to 0.8.11) that exposes a race condition in named pipe I/O event handling on Windows. The fix upgrades `mio` from version 0.8.10 to 0.8.11, closing the window for potential exploitation in applications like `rpm-ostree` that depend on async I/O. Because `mio` sits at the foundation of the Tokio async runtime, this flaw has wide blast radius across the Rust ecosystem.

critical

Shell Injection in mkmultidtb.py: How String Concatenation with os.system() Enabled Arbitrary Code Execution

A critical shell injection vulnerability in `scripts/mkmultidtb.py` allowed attackers to execute arbitrary commands during the kernel build process by injecting shell metacharacters into device tree binary (DTB) filenames. The vulnerability was caused by using `os.system()` with string concatenation instead of proper subprocess argument handling. This fix migrates to `subprocess.run()` with argument lists, eliminating the attack surface entirely.

high

Prototype Pollution in defu's Defaults Argument via `__proto__` Key (CVE-2026-35209)

CVE-2026-35209 is a high-severity prototype pollution vulnerability in the `defu` JavaScript library (versions prior to 6.1.5) that allows attackers to inject arbitrary properties onto `Object.prototype` by passing a `__proto__` key in the defaults argument. The vulnerability was present in the `blog-site` project's dependency tree and was resolved by upgrading `defu` to 6.1.5 and adding an explicit `overrides` entry to prevent transitive re-introduction of the vulnerable version.

high

CVE-2026-41676: OpenSSL Bindings Vulnerability Fixed in Rust SDK Cargo.lock

A high-severity vulnerability (CVE-2026-41676) was discovered in the `rust-openssl` crate (version 0.10.73) used in the `apps/rust-sdk` component, as flagged by the Trivy scanner in `Cargo.lock`. The fix upgrades the `openssl` crate from `0.10.73` to `0.10.80` and `openssl-sys` from `0.9.109` to `0.9.116`, closing an exploitable attack surface in production code that handles user-influenced input. Because the Rust SDK sits in the production codebase, any attacker able to reach the OpenSSL code p

critical

Critical Memory Safety Bug: Free of Uninitialized Memory in Rust Telemetry (CVE-2021-29937)

CVE-2021-29937 is a critical memory safety vulnerability in the Rust `telemetry` crate (versions prior to 0.1.3) that allows freeing uninitialized memory, leading to undefined behavior, potential crashes, and possible code execution. The fix involves upgrading the crate from version 0.1.0 to 0.1.3, which patches the unsafe memory handling at the root cause. Despite Rust's reputation for memory safety, this vulnerability demonstrates that `unsafe` code blocks can still introduce serious bugs that