Dependabot 版本更新引入默认冷却期,降低供应链攻击风险!

📅 2026/7/15 9:26:30
Dependabot 版本更新引入默认冷却期,降低供应链攻击风险!
跳过内容 跳至侧边栏[ ](https://github.com) / [ 博客](https://github.blog/)* [更新日志](https://github.blog/changelog/)* [文档](https://docs.github.com/)* [客户案例](https://github.com/customer-stories)[ 试用 GitHub Copilot CLI](https://github.com/features/copilot/cli?utm_sourceblog-top-nav-cli-features-ctautm_mediumblogutm_campaigndev-pod-copilot-cli-2026) [ 参加 GitHub Universe](https://githubuniverse.com/?utm_sourceBlog-buttonutm_mediumGitHubutm_campaignblog_button_seb_uni_26)搜索* [更新日志](https://github.blog/changelog/)* [文档](https://docs.github.com/)* [客户案例](https://github.com/customer-stories)[ 参加 GitHub Universe](https://githubuniverse.com/?utm_sourceBlog-buttonutm_mediumGitHubutm_campaignblog_button_seb_uni_26) [ 试用 GitHub Copilot CLI](https://github.com/features/copilot/cli?utm_sourceblog-top-nav-cli-features-ctautm_mediumblogutm_campaigndev-pod-copilot-cli-2026)[ 返回更新日志](https://github.blog/changelog/)改进2026 年 7 月 14 日 • 阅读时长 1 分钟现在Dependabot 在打开版本更新拉取请求之前会等待新发布版本在其注册表中至少可用三天。这一冷却期现在是默认设置无需额外配置。新版本发布通常是供应链攻击的常见切入点在维护者和社区发现之前受感染或有问题的版本可能就会进入你的依赖项更新中。短暂的延迟可以让问题有时间暴露出来这样你就不太可能在有问题的版本发布后立即合并它。需要了解的几点内容* 此默认设置仅适用于版本更新。安全更新仍会立即打开因此关键修复不会有延迟。* 你可以自主控制。通过在 .github/dependabot.yml 中使用 cooldown 选项来设置不同的时间窗口或者完全取消该设置。此默认设置适用于 github.com 上所有支持的生态系统中的 Dependabot 版本更新并将在 GitHub Enterprise Server (GHES) 3.23 中生效。在[我们关于 Dependabot 冷却期的文档](https://docs.github.com/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-)中了解更多信息。[供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security) 分享 已复制 已分享 [ 返回更新日志](https://github.blog/changelog/)相关文章7 月 8 日发布[ 内部开源安全公告全面可用](https://github.blog/changelog/2026-07-08-innersource-security-advisories-are-generally-available)[供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security)7 月 8 日停用[ npm 安装时安全和 GAT 绕过 2FA 弃用](https://github.blog/changelog/2026-07-08-npm-install-time-security-and-gat-bypass2fa-deprecation)[供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security)6 月 30 日发布[ 开源许可证合规性进入公开预览](https://github.blog/changelog/2026-06-30-open-source-license-compliance-is-in-public-preview)[供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security)6 月 30 日改进[ Dependabot 不再推断 .npmrc](https://github.blog/changelog/2026-06-30-dependabot-no-longer-infers-npmrc)[供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security)6 月 30 日改进[ 即将实施的已关闭安全警报云数据保留策略](https://github.blog/changelog/2026-06-30-cloud-data-retention-policy-for-closed-security-alerts)[应用安全](https://github.blog/changelog/2026/?labelapplication-security) [供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security) ... 16 月 26 日改进[ 针对不可信触发器的只读 Actions 缓存](https://github.blog/changelog/2026-06-26-read-only-actions-cache-for-untrusted-triggers)[Actions](https://github.blog/changelog/2026/?labelactions) [供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security) ... 16 月 25 日改进[ npm 为高影响账户添加预防性账户保护](https://github.blog/changelog/2026-06-25-npm-adds-preventive-account-protection-for-high-impact-accounts)[供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security)6 月 23 日停用[ Dependabot 弃用 Python 3.9](https://github.blog/changelog/2026-06-23-deprecation-of-python-3-9-for-dependabot)[供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security)6 月 18 日发布[ GitHub Actions 检出更安全的 pull_request_target 默认设置](https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout)[Actions](https://github.blog/changelog/2026/?labelactions) [供应链安全](https://github.blog/changelog/2026/?labelsupply-chain-security) ... 1订阅我们的开发者时事通讯在我们为开发者定制的双周时事通讯中发现技巧、技术指南和最佳实践。输入你的电子邮件* 订阅提交即表示我同意让 GitHub 及其附属公司使用我的信息进行个性化沟通、定向广告和活动效果评估。详情请参阅[GitHub 隐私声明](https://github.com/site/privacy)。返回顶部全站链接[ ](https://github.com/)产品* [功能](https://github.com/features)* [安全](https://github.com/security)* [企业版](https://github.com/enterprise)* [客户案例](https://github.com/customer-stories?typeenterprise)* [定价](https://github.com/pricing)* [资源](https://resources.github.com/)平台* [开发者 API](https://developer.github.com/)* [合作伙伴](https://partner.github.com/)* [Atom](https://atom.io/)* [Electron](https://www.electronjs.org/)* [GitHub Desktop](https://desktop.github.com/)支持* [文档](https://docs.github.com/)* [社区论坛](https://github.community/)* [培训](https://services.github.com/)* [状态](https://www.githubstatus.com/)* [联系我们](https://support.github.com/)公司* [关于我们](https://github.com/about)* [博客](https://github.blog/)* [职业机会](https://github.com/about/careers)* [媒体报道](https://github.com/about/press)* [商店](https://shop.github.com/)