Back to Blog
high SEVERITY6 min read

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity supply chain vulnerability was discovered in a `.github/dependabot.yml` configuration that lacked a cooldown period, meaning Dependabot could immediately propose updates to newly published (and potentially malicious) package versions. The fix adds a `cooldown` block with `default-days: 7` to enforce a 7-day waiting period before suggesting updates, giving the community time to detect and flag compromised packages.

O
By Orbis AppSec
Published July 5, 2026Reviewed July 5, 2026

Answer Summary

A missing Dependabot cooldown (CWE-1104) in `.github/dependabot.yml` allows automated dependency updates to propose newly published package versions immediately—before the community can identify malicious or unstable releases. The fix is adding a `cooldown: default-days: 7` block to each `package-ecosystem` entry in the Dependabot configuration, creating a 7-day buffer that significantly reduces supply chain attack risk.

Vulnerability at a Glance

cweCWE-1104 (Use of Unmaintained Third Party Components)
fixAdded `cooldown: default-days: 7` to enforce a 7-day waiting period before proposing updates
riskSupply chain compromise via malicious newly-published package versions
languageYAML (GitHub Actions / Dependabot configuration)
root causeNo `cooldown` block in `dependabot.yml` update entries
vulnerabilityDependabot missing cooldown period

How Missing Dependabot Cooldown Happens in GitHub Actions CI/CD and How to Fix It

Introduction

In a production repository's .github/dependabot.yml configuration at line 3, we discovered a high-severity supply chain vulnerability: the Dependabot github-actions ecosystem update entry had no cooldown period configured. This meant that whenever a new version of any GitHub Action dependency was published—whether legitimate or malicious—Dependabot would immediately create a pull request proposing the update.

This matters because supply chain attacks through package registries have surged dramatically. Attackers publish malicious versions of popular packages (or typosquatted variants), and automated tools like Dependabot can unknowingly fast-track these compromised versions into your CI/CD pipeline. Without a cooldown, there's zero buffer between publication and proposal.

Here's the vulnerable configuration that was in production:

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      github-actions:
        patterns:

Notice the complete absence of any cooldown block—Dependabot would propose updates the moment they appeared on the registry.

The Vulnerability Explained

What Happens Without a Cooldown

When Dependabot monitors a package ecosystem (in this case, github-actions), it periodically checks for new versions of your dependencies. Without a cooldown period, the timeline looks like this:

  1. T+0 minutes: Attacker publishes a compromised version of a GitHub Action (e.g., actions/checkout@v5.0.1 with injected credential-stealing code)
  2. T+0 to T+24 hours: Dependabot detects the new version during its next scheduled check
  3. T+0 to T+24 hours: Dependabot opens a PR proposing the update
  4. T+minutes: A developer or auto-merge bot merges the PR
  5. T+minutes: Malicious code now runs in your CI/CD pipeline with access to secrets, tokens, and deployment credentials

The critical window—between when a malicious package is published and when the community detects and removes it—is typically 24-72 hours. Without a cooldown, Dependabot operates squarely within this danger zone.

The Specific Attack Scenario

For this repository, the github-actions ecosystem is particularly sensitive. GitHub Actions run with elevated privileges—they often have access to:

  • GITHUB_TOKEN with write permissions
  • Deployment secrets and API keys
  • Cloud provider credentials for CD pipelines
  • NPM/PyPI publish tokens

An attacker who compromises a GitHub Action dependency could:

  1. Exfiltrate all repository secrets
  2. Inject backdoors into build artifacts
  3. Modify source code through the compromised workflow
  4. Pivot to production infrastructure via deployment credentials

The groups configuration in this file (grouping all github-actions patterns together) actually amplifies the risk—a single grouped PR updating multiple actions could include a compromised one alongside legitimate updates, making it harder to spot during review.

Why Monthly Scheduling Doesn't Help

You might think that interval: "monthly" provides some protection since Dependabot only checks once a month. But this is misleading:

  • The monthly interval means Dependabot checks at least monthly, but it can still propose updates to packages published just hours before the check
  • A malicious package published 1 day before the monthly check would still be proposed immediately
  • The interval controls how often Dependabot looks, not how old a version must be before it's proposed

The Fix

The fix adds a cooldown block with default-days: 7 to the github-actions ecosystem entry:

Before:

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      github-actions:
        patterns:

After:

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
    cooldown:
      default-days: 7
    groups:
      github-actions:
        patterns:

How This Solves the Problem

The cooldown block instructs Dependabot to wait 7 days after a new version is published before proposing it as an update. This creates a critical safety buffer:

  1. Day 0: New version published (potentially malicious)
  2. Days 1-3: Community discovers and reports the compromise
  3. Days 3-5: Registry removes or yanks the malicious version
  4. Day 7: Cooldown expires—but the malicious version is already gone

The 7-day default aligns with observed incident response timelines for supply chain attacks. Most malicious packages are detected and removed within 72 hours by automated security scanners (like Socket.dev, Snyk, and GitHub's own advisory database), giving a comfortable margin.

Why 7 Days Specifically?

  • Too short (1-2 days): Many supply chain attacks aren't detected this quickly
  • 7 days: Covers the vast majority of detection windows while still keeping dependencies reasonably current
  • Too long (30+ days): Delays legitimate security patches that you actually want quickly

The default-days key applies to all packages in this ecosystem. If you need different cooldowns for specific packages, Dependabot also supports per-package overrides.

Prevention & Best Practices

1. Always Configure Cooldown for Every Ecosystem

If your dependabot.yml has multiple package-ecosystem entries (e.g., npm, pip, github-actions, docker), each one needs its own cooldown block:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    cooldown:
      default-days: 7

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
    cooldown:
      default-days: 7

2. Pin GitHub Actions to Full Commit SHAs

Beyond cooldown, pin actions to specific commit SHAs rather than tags:

# Vulnerable to tag-based attacks:
- uses: actions/checkout@v4

# More secure - pinned to exact commit:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

3. Enable Dependabot Security Advisories

Ensure dependabot alerts are enabled alongside version updates. Alerts use GitHub's advisory database to flag known-vulnerable versions, complementing the cooldown approach.

4. Use Semgrep or Similar SAST Tools

Static analysis tools can detect misconfigurations in CI/CD files. The rule package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown specifically catches this pattern.

5. Implement PR Review Policies for Dependency Updates

  • Require manual review for dependency PRs (disable auto-merge for Dependabot)
  • Use tools like step-security/harden-runner to detect anomalous behavior in workflows
  • Review changelogs and diffs before merging dependency updates

Key Takeaways

  • The cooldown block in dependabot.yml is not optional—without it, your automated dependency management becomes a supply chain attack accelerator
  • GitHub Actions dependencies are especially high-risk because they execute with elevated CI/CD privileges and access to repository secrets
  • 7 days is the minimum recommended cooldown based on observed supply chain attack detection timelines; most malicious packages are flagged within 72 hours
  • Grouped dependency updates (like the github-actions group in this config) amplify risk by bundling potentially compromised packages with legitimate updates in a single PR
  • Monthly scheduling intervals do NOT substitute for cooldown—they control check frequency, not version age requirements

How Orbis AppSec Detected This

  • Source: Newly published package versions on the GitHub Actions marketplace and other package registries
  • Sink: The package-ecosystem: "github-actions" entry at .github/dependabot.yml:3 that would immediately propose updates without age verification
  • Missing control: No cooldown block to enforce a minimum age for proposed package versions
  • CWE: CWE-1104 (Use of Unmaintained Third Party Components) / CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)
  • Fix: Added cooldown: default-days: 7 to the github-actions ecosystem entry, requiring all proposed updates to be at least 7 days old

Orbis AppSec automatically detected this vulnerability and opened a pull request with the fix. Try Orbis AppSec on your repositories to find and fix issues like this automatically.

Conclusion

Supply chain security isn't just about scanning your code—it's about controlling the velocity at which unvetted external code enters your pipeline. A missing Dependabot cooldown is a subtle but high-impact misconfiguration that turns your automated dependency management from a security tool into a potential attack vector.

The fix is simple: two lines of YAML. But the protection it provides—a 7-day buffer against malicious package publications—can be the difference between catching a supply chain attack and having your CI/CD secrets exfiltrated. Audit your dependabot.yml files today, and ensure every package-ecosystem entry includes a cooldown block.

References

Frequently Asked Questions

What is a Dependabot missing cooldown vulnerability?

It's a misconfiguration where Dependabot proposes dependency updates immediately after a new version is published, without waiting to verify the package isn't malicious or unstable. This creates a window for supply chain attacks.

How do you prevent Dependabot missing cooldown in GitHub Actions?

Add a `cooldown` block with `default-days: 7` (or more) to each `package-ecosystem` entry in your `.github/dependabot.yml` file. This delays update proposals for newly published versions.

What CWE is Dependabot missing cooldown?

CWE-1104 (Use of Unmaintained Third Party Components) is the closest match, as it relates to inadequate controls around third-party dependency management. Some classify it under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

Is having Dependabot enabled enough to prevent supply chain attacks?

No. While Dependabot helps keep dependencies current, without a cooldown period it can actually accelerate supply chain attacks by immediately proposing malicious updates. A cooldown period is essential.

Can static analysis detect Dependabot missing cooldown?

Yes. Tools like Semgrep can scan `.github/dependabot.yml` files for missing `cooldown` blocks using rules like `package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown`.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #3489

Related Articles

high

How unsafe package download verification happens in shell scripts and how to fix it

A critical vulnerability in the DragonFly installation script allowed attackers to inject malicious packages by downloading and installing software without verifying integrity checksums. The fix adds SHA256 verification before installation, ensuring only legitimate packages are executed with elevated privileges.

high

How a named pipe I/O race condition happens in Rust mio and how to fix it

CVE-2024-27308 is a high-severity vulnerability in the Rust `mio` crate (versions prior to 0.8.11) that exposes a race condition in named pipe I/O event handling on Windows. The fix upgrades `mio` from version 0.8.10 to 0.8.11, closing the window for potential exploitation in applications like `rpm-ostree` that depend on async I/O. Because `mio` sits at the foundation of the Tokio async runtime, this flaw has wide blast radius across the Rust ecosystem.

critical

Shell Injection in mkmultidtb.py: How String Concatenation with os.system() Enabled Arbitrary Code Execution

A critical shell injection vulnerability in `scripts/mkmultidtb.py` allowed attackers to execute arbitrary commands during the kernel build process by injecting shell metacharacters into device tree binary (DTB) filenames. The vulnerability was caused by using `os.system()` with string concatenation instead of proper subprocess argument handling. This fix migrates to `subprocess.run()` with argument lists, eliminating the attack surface entirely.

high

Prototype Pollution in defu's Defaults Argument via `__proto__` Key (CVE-2026-35209)

CVE-2026-35209 is a high-severity prototype pollution vulnerability in the `defu` JavaScript library (versions prior to 6.1.5) that allows attackers to inject arbitrary properties onto `Object.prototype` by passing a `__proto__` key in the defaults argument. The vulnerability was present in the `blog-site` project's dependency tree and was resolved by upgrading `defu` to 6.1.5 and adding an explicit `overrides` entry to prevent transitive re-introduction of the vulnerable version.

high

CVE-2026-41676: OpenSSL Bindings Vulnerability Fixed in Rust SDK Cargo.lock

A high-severity vulnerability (CVE-2026-41676) was discovered in the `rust-openssl` crate (version 0.10.73) used in the `apps/rust-sdk` component, as flagged by the Trivy scanner in `Cargo.lock`. The fix upgrades the `openssl` crate from `0.10.73` to `0.10.80` and `openssl-sys` from `0.9.109` to `0.9.116`, closing an exploitable attack surface in production code that handles user-influenced input. Because the Rust SDK sits in the production codebase, any attacker able to reach the OpenSSL code p

critical

Critical Memory Safety Bug: Free of Uninitialized Memory in Rust Telemetry (CVE-2021-29937)

CVE-2021-29937 is a critical memory safety vulnerability in the Rust `telemetry` crate (versions prior to 0.1.3) that allows freeing uninitialized memory, leading to undefined behavior, potential crashes, and possible code execution. The fix involves upgrading the crate from version 0.1.0 to 0.1.3, which patches the unsafe memory handling at the root cause. Despite Rust's reputation for memory safety, this vulnerability demonstrates that `unsafe` code blocks can still introduce serious bugs that