STEPSECURITY has introduced cooldown and group attributes to Dependabot configuration management, enabling organisations to control how often update PRs arrive and how related updates are batched across npm, pip, Docker, GitHub Actions, and other Dependabot-supported ecosystems. The changes are designed to reduce alert fatigue and improve patch review by allowing updates to be grouped into a single PR or paced at a cadence that matches team capacity.
Grouping can batch non-major production dependency updates into one weekly PR while keeping major version bumps separate for closer review, and cooldown sets the minimum interval between new Dependabot PRs. These features are available through StepSecurity’s centralized Dependabot configuration, with the option to generate or enhance dependabot[.]yml files for repositories that lack proper configuration.
The npm Package Cooldown check remains a separate gate that blocks PRs introducing recently published versions, with a default window of 2 days (configurable between 1 and 30 days). April 15 2026 marks the publish date of this update by Balijepalli Vamshi Krishna.