Jul 1, 2025 · Jul 1, 2025 · Jul 1, 2025 · Jul 1, 2025
diff --git a/...ode-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/...ode-security/dependabot/working-with-dependabot/dependabot-options-reference.md

 By default, a group will include all types of dependencies.

 * Use `development` to include only dependencies in the "Development dependency group".
 * Use `production` to include only dependencies in the "Production dependency group".

 ### `patterns` and `exclude-patterns` (`groups`)


 #### Versioning tag glossary

 * **`alpha`:** Early version, may be unstable and have incomplete features.
 * **`beta`:** More stable than alpha but may still have bugs.
 * **`canary`:** Regularly updated pre-release version for testing.
 * **`dev`:** Represents development versions.
 * **`experimental`:** Versions with experimental features.
 * **`latest`:** The latest stable release.
 * **`legacy`:** Older or deprecated versions.
 * **`next`:** Upcoming release version.
 * **`nightly`:** Versions built nightly; often includes the latest changes.
 >
 > * Bundler{% ifversion dependabot-updates-cargo-private-registry-support %}
 > * Cargo{% endif %}
 > * Docker
 > * Gradle
 > * Maven
 > * Npm

 ## `cooldown` {% octicon "versions" aria-label="cooldown" height="24" %}

 Defines a **cooldown period** for dependency updates to delay updates for a configurable number of days. This feature enablesdependabot users to customize how often they receive new version updates, offering greater control over update frequency.
 Defines a **cooldown period** for dependency updates to delay updates for a configurable number of days. This feature enables{% data variables.product.prodname_dependabot %} users to customize how often they receive new version updates, offering greater control over update frequency.

 > [!NOTE]
 > Cooldown is not applicable for security updates.
 >
 > Cooldown is not available for **Nuget** ecosystem

 ### **How Cooldown Works**

 * WhenDependabot runs updates as per defined schedule, it checks the **cooldown settings** to determine if new release for dependency is still within its cooldown period.
 * When{% data variables.product.prodname_dependabot %} runs updates as per defined schedule, it checks the **cooldown settings** to determine if new release for dependency is still within its cooldown period.
 * If new version release date is within the cooldown period, dependency version update is **filtered out** and will not be updated until the cooldown period expires.
 * Once the cooldown period ends for new version, the dependency update proceeds based on the standard update strategy defined in `dependabot.yml`.

 Without **`cooldown`** (default behaviour): {% data variables.product.prodname_dependabot %}
 Without **`cooldown`** (default behaviour):

 * Dependabot checks for updates according to the scheduled defined via `schedule.interval`.
 * All new versions are considered for updates **immediately**.

 With **`cooldown`** enabled:

 *Dependabot checks for updates based on the defined `schedule.interval` settings.
 *{% data variables.product.prodname_dependabot %} checks for updates based on the defined `schedule.interval` settings.
 * **Releases within the cooldown period are ignored.**
 *Dependabot updates the dependency to the latest available version **that are no longer in cooldown period** following the configured `versioning-strategy`.
 *{% data variables.product.prodname_dependabot %} updates the dependency to the latest available version **that are no longer in cooldown period** following the configured `versioning-strategy`.

 ### **Cooldown Configuration**

 >
 > * If `semver-major-days`, `semver-minor-days`, or `semver-patch-days` are not defined, `default-days` settings take precedence for cooldown based updates.
 > * `semver-major-days`, `semver-minor-days`, and `semver-patch-days` are only applicable for [supported package managers](#semver-versioning).
 > * The `exclude` list always take precedence over the `include` list. If a dependency is specified in both lists, it is excluded from cooldown and will be updated immediately.

 ### **Cooldown settings limitations**

 ### **Example `dependabot.yml` with cooldown**

 ```yaml copy

 version: 2
 updates:
  - package-ecosystem: "pip"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -222,8 +222,8 @@

		By default, a group will include all types of dependencies.

		* Use `development` to include only dependencies in the "Development dependency group".
Check warning on line 225 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Periods and commas should be placed inside quotation marks (American English style) `Use American English punctuation: place period inside the quotation marks.`
		* Use `production` to include only dependencies in the "Production dependency group".
Check warning on line 226 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Periods and commas should be placed inside quotation marks (American English style) `Use American English punctuation: place period inside the quotation marks.`

		### `patterns` and `exclude-patterns` (`groups`)

Expand DownExpand Up		@@ -647,12 +647,12 @@

		#### Versioning tag glossary

		* `alpha`: Early version, may be unstable and have incomplete features.
Check warning on line 650 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Do not use more than one emphasis/strong `Do not use multiple emphasis types in a single string: bold + code.`
		* `beta`: More stable than alpha but may still have bugs.
Check warning on line 651 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Do not use more than one emphasis/strong `Do not use multiple emphasis types in a single string: bold + code.`
		* `canary`: Regularly updated pre-release version for testing.
Check warning on line 652 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Do not use more than one emphasis/strong `Do not use multiple emphasis types in a single string: bold + code.`
		* `dev`: Represents development versions.
Check warning on line 653 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Do not use more than one emphasis/strong `Do not use multiple emphasis types in a single string: bold + code.`
		* `experimental`: Versions with experimental features.
Check warning on line 654 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Do not use more than one emphasis/strong `Do not use multiple emphasis types in a single string: bold + code.`
		* `latest`: The latest stable release.
Check warning on line 655 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Do not use more than one emphasis/strong `Do not use multiple emphasis types in a single string: bold + code.`
		* `legacy`: Older or deprecated versions.
		* `next`: Upcoming release version.
		* `nightly`: Versions built nightly; often includes the latest changes.
Expand All		@@ -673,7 +673,7 @@
		>
		> * Bundler{% ifversion dependabot-updates-cargo-private-registry-support %}
		> * Cargo{% endif %}
		> * Docker
Check warning on line 676 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Note and warning tags should be formatted according to style guide `Do not include more than 2 bullet points inside a callout.`
		> * Gradle
		> * Maven
		> * Npm
Expand DownExpand Up		@@ -750,27 +750,29 @@

		## `cooldown` {% octicon "versions" aria-label="cooldown" height="24" %}

		Defines a cooldown period for dependency updates to delay updates for a configurable number of days. This feature enablesdependabot users to customize how often they receive new version updates, offering greater control over update frequency.
		Defines a cooldown period for dependency updates to delay updates for a configurable number of days. This feature enables{% data variables.product.prodname_dependabot %} users to customize how often they receive new version updates, offering greater control over update frequency.

		> [!NOTE]
		> Cooldown is not applicable for security updates.
		>
		> Cooldown is not available for Nuget ecosystem
sachin-sandhu marked this conversation as resolved. Show resolvedHide resolved

		### How Cooldown Works

		* WhenDependabot runs updates as per defined schedule, it checks the cooldown settings to determine if new release for dependency is still within its cooldown period.
		* When{% data variables.product.prodname_dependabot %} runs updates as per defined schedule, it checks the cooldown settings to determine if new release for dependency is still within its cooldown period.
		* If new version release date is within the cooldown period, dependency version update is filtered out and will not be updated until the cooldown period expires.
		* Once the cooldown period ends for new version, the dependency update proceeds based on the standard update strategy defined in `dependabot.yml`.

		Without `cooldown` (default behaviour): {% data variables.product.prodname_dependabot %}
		Without `cooldown` (default behaviour):

		* Dependabot checks for updates according to the scheduled defined via `schedule.interval`.
		* All new versions are considered for updates immediately.

		With `cooldown` enabled:

		*Dependabot checks for updates based on the defined `schedule.interval` settings.
		*{% data variables.product.prodname_dependabot %} checks for updates based on the defined `schedule.interval` settings.
		* Releases within the cooldown period are ignored.
		Dependabot updates the dependency to the latest available version that are no longer in cooldown period* following the configured `versioning-strategy`.
		{% data variables.product.prodname_dependabot %} updates the dependency to the latest available version that are no longer in cooldown period* following the configured `versioning-strategy`.

		### Cooldown Configuration

Expand DownExpand Up		@@ -814,7 +816,7 @@
		>
		> * If `semver-major-days`, `semver-minor-days`, or `semver-patch-days` are not defined, `default-days` settings take precedence for cooldown based updates.
		> * `semver-major-days`, `semver-minor-days`, and `semver-patch-days` are only applicable for [supported package managers](#semver-versioning).
		> * The `exclude` list always take precedence over the `include` list. If a dependency is specified in both lists, it is excluded from cooldown and will be updated immediately.
Check warning on line 819 in content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md View workflow job for this annotation GitHub Actions/ lint-content Note and warning tags should be formatted according to style guide `Do not include more than 2 bullet points inside a callout.`

		### Cooldown settings limitations

Expand All		@@ -824,7 +826,6 @@
		### Example `dependabot.yml` with cooldown

		```yaml copy

		version: 2
		updates:
		- package-ecosystem: "pip"
Expand Down