Back to Blog
high SEVERITY7 min read

How missing Dependabot cooldown periods happen in GitHub Actions CI/CD and how to fix it

A high-severity supply chain vulnerability was discovered in `.github/dependabot.yml` where missing cooldown periods allowed Dependabot to immediately propose updates for newly published packages. This configuration flaw exposed the CI/CD pipeline to malicious or unstable package versions. The fix adds a 7-day cooldown period to both pip and GitHub Actions ecosystems, creating a safety window for the community to identify compromised packages before they enter the codebase.

O
By Orbis AppSec
Published July 9, 2026Reviewed July 9, 2026

Answer Summary

Missing Dependabot cooldown periods (CWE-1357: Reliance on Insufficiently Trustworthy Component) allow automated dependency updates to immediately pull newly published packages that could be malicious or unstable. In GitHub Actions CI/CD configurations, this creates a supply chain attack vector where compromised packages can enter production within minutes of publication. The fix adds `cooldown: default-days: 7` to each package-ecosystem entry in `.github/dependabot.yml`, establishing a mandatory 7-day waiting period before proposing updates to newly released package versions.

Vulnerability at a Glance

cweCWE-1357 (Reliance on Insufficiently Trustworthy Component)
fixAdd 7-day cooldown period to all package-ecosystem entries
riskImmediate adoption of malicious or unstable newly published packages
languageYAML (GitHub Actions configuration)
root causeNo cooldown configuration in Dependabot package-ecosystem updates
vulnerabilityMissing Dependabot cooldown period

Introduction

In a Python library's CI/CD configuration, we discovered a high-severity supply chain vulnerability in .github/dependabot.yml at line 4. The Dependabot configuration for both the pip and github-actions package ecosystems lacked cooldown periods, meaning the automated dependency management system would immediately propose updates for newly published packages—without any waiting period for the security community to vet them.

This matters because supply chain attacks have become one of the most effective attack vectors in modern software development. When malicious actors compromise a package registry or publish typosquatted packages, the window between publication and widespread adoption can be measured in hours. Without a cooldown period, Dependabot acts as an unwitting accomplice, rapidly proposing these malicious updates to repositories that trust its recommendations.

The vulnerable configuration handled two critical package ecosystems: Python dependencies via pip and GitHub Actions workflows. Both update weekly, commit to the develop branch, and—critically—had no safeguards against newly published malicious packages.

The Vulnerability Explained

Let's examine the vulnerable configuration in .github/dependabot.yml:

updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
    commit-message:
      prefix: ⬆️
    target-branch: "develop"
    reviewers:
      - "username"
    open-pull-requests-limit: 10

Notice what's missing? There's no cooldown block. This means that if a new version of any Python package in the project's dependencies is published—say, version 2.0.0 of a popular library—Dependabot will immediately propose an update in the next scheduled run (or immediately if configured for real-time updates).

Here's why this is dangerous:

Attack Scenario: An attacker compromises the PyPI account of a maintainer for requests, a widely-used HTTP library. On Monday at 9:00 AM, they publish version 2.32.0 containing a backdoor that exfiltrates environment variables (including AWS credentials, API keys, and database passwords) to an attacker-controlled server. By 9:30 AM, Dependabot in thousands of repositories worldwide has already scanned PyPI, detected the new version, and opened pull requests to update. Developers reviewing these PRs see that it's from the legitimate requests package, the version number looks normal, and Dependabot's automated checks pass (because the malicious code is designed to execute only in production environments, not in CI tests). By Tuesday, the compromised package is deployed in production systems across hundreds of companies.

Without a cooldown period, there's no time for:
- Security researchers to analyze the new release
- Automated malware scanners to flag suspicious code
- The PyPI security team to respond to reports
- The community to notice unusual behavior

The same vulnerability exists for the github-actions ecosystem configuration, which is equally critical. Compromised GitHub Actions can access repository secrets, modify code, and push malicious changes directly to production branches.

The Fix

The fix adds a 7-day cooldown period to both package ecosystems. Here's the before-and-after comparison:

Before (vulnerable):

- package-ecosystem: "pip"
  directory: "/"
  schedule:
    interval: "weekly"
  commit-message:
    prefix: ⬆️
  target-branch: "develop"

After (secure):

- package-ecosystem: "pip"
  directory: "/"
  schedule:
    interval: "weekly"
  cooldown:
    default-days: 7
  commit-message:
    prefix: ⬆️
  target-branch: "develop"

The same change was applied to the github-actions ecosystem:

- package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: "weekly"
  cooldown:
    default-days: 7
  commit-message:
    prefix: ⬆️
  target-branch: "develop"

This specific change solves the problem by creating a mandatory 7-day waiting period. When a new package version is published, Dependabot will now wait 7 days before proposing it as an update. This 7-day window provides critical time for:

  1. Automated security scanners to analyze the package for known malware patterns
  2. Security researchers to conduct manual reviews of high-profile packages
  3. The community to report suspicious behavior or unexpected changes
  4. Package registry security teams (PyPI, npm, etc.) to respond to reports and remove compromised packages
  5. Maintainers to catch and revert accidental releases containing bugs or security issues

Why both changes were necessary: This repository uses both Python dependencies (managed by pip) and GitHub Actions workflows. A supply chain attack could target either ecosystem. The pip cooldown protects against malicious Python packages, while the github-actions cooldown protects against compromised workflow actions that could access repository secrets or modify code.

The 7-day period strikes a balance between security and staying current with legitimate updates. It's long enough for the security community to identify obvious compromises but short enough that you're not running on dangerously outdated dependencies.

Prevention & Best Practices

To avoid supply chain vulnerabilities in your Dependabot configurations:

1. Always Configure Cooldown Periods

Never deploy Dependabot without cooldown configuration. Add this to every package-ecosystem entry:

cooldown:
  default-days: 7  # Minimum recommended

For high-security environments, consider 14 or 30 days for production dependencies.

2. Use Static Analysis to Enforce Configuration Standards

Implement Semgrep rules or similar static analysis to detect missing cooldown configurations in CI/CD:

# Regression test pattern from the PR
def test_dependabot_config_has_cooldown_period(payload):
    """Invariant: All Dependabot package-ecosystem entries must have cooldown with default-days >= 7"""
    for update in config.get('updates', []):
        assert 'cooldown' in update, f"Missing cooldown in update: {update}"
        assert 'default-days' in update['cooldown'], f"Missing default-days in cooldown: {update}"
        assert update['cooldown']['default-days'] >= 7, f"Cooldown days less than 7: {update}"

3. Layer Multiple Supply Chain Defenses

Cooldown periods are one layer. Also implement:

  • Dependency pinning: Lock to specific versions with hash verification
  • SBOM generation: Maintain a Software Bill of Materials
  • Automated vulnerability scanning: Use tools like Snyk, Dependabot Security Alerts, or GitHub Advanced Security
  • Manual review requirements: Require human approval for dependency updates, especially major version bumps

4. Monitor Package Registries

Subscribe to security advisories for your package ecosystems:
- PyPI security announcements
- npm security advisories
- GitHub Security Advisories
- RubyGems security announcements

5. Implement Staged Rollouts

Update dependencies first in development, then staging, then production—with monitoring at each stage:

# Example: Different cooldown periods per environment
- package-ecosystem: "pip"
  target-branch: "develop"
  cooldown:
    default-days: 3  # Faster updates in dev

- package-ecosystem: "pip"
  target-branch: "main"
  cooldown:
    default-days: 14  # More conservative in production

Security Standards Reference

This vulnerability relates to:
- CWE-1357: Reliance on Insufficiently Trustworthy Component
- OWASP Top 10 2021 - A06:2021: Vulnerable and Outdated Components
- SLSA Framework: Supply-chain Levels for Software Artifacts (requires verification of dependencies)

Key Takeaways

  • The .github/dependabot.yml configuration lacked cooldown periods for both pip and github-actions ecosystems, allowing immediate adoption of newly published packages without a security vetting window
  • A 7-day cooldown period is the minimum recommended delay to give the security community time to identify malicious or unstable package releases before they enter your codebase
  • Supply chain attacks exploit the trust relationship between developers and package registries—cooldown periods break the attack's time-critical advantage
  • Both Python dependencies and GitHub Actions workflows require cooldown protection since compromised packages in either ecosystem can access secrets, modify code, or exfiltrate data
  • Static analysis can enforce cooldown configuration as a security invariant using regression tests that validate all package-ecosystem entries have appropriate cooldown blocks

How Orbis AppSec Detected This

  • Source: Dependabot configuration in .github/dependabot.yml controls automated dependency updates
  • Sink: Missing cooldown configuration in package-ecosystem entries at lines 4 and 16, allowing immediate proposal of newly published package versions
  • Missing control: No cooldown period validation or waiting window before proposing updates to newly released packages
  • CWE: CWE-1357 (Reliance on Insufficiently Trustworthy Component)
  • Fix: Added cooldown: default-days: 7 to both pip and github-actions package-ecosystem configurations

Orbis AppSec automatically detected this vulnerability and opened a pull request with the fix. Try Orbis AppSec on your repositories to find and fix issues like this automatically.

Conclusion

Supply chain attacks represent one of the most sophisticated and effective attack vectors in modern software development. The missing cooldown period in this Dependabot configuration created an unnecessary risk by allowing immediate adoption of newly published packages without any security vetting window.

By implementing a 7-day cooldown period for both Python dependencies and GitHub Actions, this fix establishes a critical safety buffer that allows the security community to identify and respond to compromised packages before they enter the codebase. This is defense-in-depth at its finest—acknowledging that while we trust package registries and maintainers, we also verify through time-delayed adoption.

For developers managing CI/CD pipelines, the lesson is clear: automated dependency management is essential for staying current with security patches, but it must be balanced with safeguards against supply chain attacks. Always configure cooldown periods, layer multiple security controls, and remember that the newest version isn't always the safest version.

References

Frequently Asked Questions

What is a Dependabot cooldown period?

A Dependabot cooldown period is a configurable waiting time (in days) that prevents Dependabot from proposing updates to newly published package versions. It creates a safety window for the security community to identify malicious or unstable releases before they're automatically integrated into your codebase.

How do you prevent supply chain attacks in GitHub Actions CI/CD?

Implement a cooldown period of at least 7 days in your `.github/dependabot.yml` configuration by adding a `cooldown` block with `default-days: 7` to each package-ecosystem entry. This delays automatic dependency updates, allowing time for malicious packages to be identified and removed from registries before entering your pipeline.

What CWE is missing Dependabot cooldown?

Missing Dependabot cooldown falls under CWE-1357: Reliance on Insufficiently Trustworthy Component. This weakness occurs when software relies on third-party components without sufficient validation of their trustworthiness, particularly when using the most recently published versions without verification periods.

Is dependency pinning enough to prevent supply chain attacks?

No. While dependency pinning prevents unexpected updates, it doesn't protect against malicious packages that Dependabot proposes as updates. A cooldown period is essential because it creates a time buffer for security researchers and automated scanners to identify compromised packages before Dependabot suggests them, even if you review PRs manually.

Can static analysis detect missing Dependabot cooldown configurations?

Yes. Static analysis tools like Semgrep can detect missing cooldown configurations in `.github/dependabot.yml` files by analyzing the YAML structure and checking for the presence of cooldown blocks with appropriate default-days values in each package-ecosystem entry under the updates section.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #2419

Related Articles

high

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity supply chain vulnerability was discovered in a `.github/dependabot.yml` configuration that lacked a cooldown period, meaning Dependabot could immediately propose updates to newly published (and potentially malicious) package versions. The fix adds a `cooldown` block with `default-days: 7` to enforce a 7-day waiting period before suggesting updates, giving the community time to detect and flag compromised packages.

high

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity supply chain vulnerability was discovered in a `.github/dependabot.yml` configuration file that lacked a cooldown period for package updates. Without a cooldown, Dependabot could immediately propose updates to newly published—and potentially malicious—package versions. The fix adds a 7-day `cooldown` block to both the npm and github-actions ecosystem entries, giving the community time to identify and flag compromised packages before they're adopted.

high

How unsafe package download verification happens in shell scripts and how to fix it

A critical vulnerability in the DragonFly installation script allowed attackers to inject malicious packages by downloading and installing software without verifying integrity checksums. The fix adds SHA256 verification before installation, ensuring only legitimate packages are executed with elevated privileges.

high

How a named pipe I/O race condition happens in Rust mio and how to fix it

CVE-2024-27308 is a high-severity vulnerability in the Rust `mio` crate (versions prior to 0.8.11) that exposes a race condition in named pipe I/O event handling on Windows. The fix upgrades `mio` from version 0.8.10 to 0.8.11, closing the window for potential exploitation in applications like `rpm-ostree` that depend on async I/O. Because `mio` sits at the foundation of the Tokio async runtime, this flaw has wide blast radius across the Rust ecosystem.

critical

Shell Injection in mkmultidtb.py: How String Concatenation with os.system() Enabled Arbitrary Code Execution

A critical shell injection vulnerability in `scripts/mkmultidtb.py` allowed attackers to execute arbitrary commands during the kernel build process by injecting shell metacharacters into device tree binary (DTB) filenames. The vulnerability was caused by using `os.system()` with string concatenation instead of proper subprocess argument handling. This fix migrates to `subprocess.run()` with argument lists, eliminating the attack surface entirely.

high

Prototype Pollution in defu's Defaults Argument via `__proto__` Key (CVE-2026-35209)

CVE-2026-35209 is a high-severity prototype pollution vulnerability in the `defu` JavaScript library (versions prior to 6.1.5) that allows attackers to inject arbitrary properties onto `Object.prototype` by passing a `__proto__` key in the defaults argument. The vulnerability was present in the `blog-site` project's dependency tree and was resolved by upgrading `defu` to 6.1.5 and adding an explicit `overrides` entry to prevent transitive re-introduction of the vulnerable version.