StepSecurity has added cooldown and group configuration support for Dependabot, giving organizations control over how dependency update PRs are batched and how frequently they arrive. The group attribute lets teams combine related updates into a single PR (e.g., all minor/patch production deps in one weekly PR), while cooldown sets a minimum interval between new Dependabot PRs to prevent queue flooding. These features complement StepSecurity's existing npm Package Cooldown check, which blocks PRs introducing recently published packages. The announcement is framed against a wave of March 2026 supply chain attacks — including the axios compromise and CanisterWorm npm worm — arguing that teams with unmanageable Dependabot queues were most vulnerable. Both features are available through StepSecurity's centralized configuration and can be applied across all repositories in an organization.
Table of contents
What Is NewHow This Connects to npm Package CooldownWhy NowThe Problem These Features SolveHow to Get StartedThe Bigger PictureSort: