Fix cooldown being incorrectly applied to security updates

[Copilot]

What are you trying to accomplish?

Security updates were incorrectly filtering versions due to cooldown, causing "Dependabot cannot update to the required version" errors. Per documentation, cooldown should only apply to version updates, not security updates.

updater | INFO <job_1213272248> Filtered out 4 versions due to cooldown

Anything you want to highlight for special attention from reviewers?

Two update_checker_for methods unconditionally passed job.cooldown:

• updater/lib/dependabot/updater/operations/update_all_versions.rb
• updater/lib/dependabot/updater/group_update_creation.rb

Fix passes nil when job.security_updates_only? is true:

update_cooldown: job.security_updates_only? ? nil : job.cooldown,

The security-specific operations (CreateSecurityUpdatePullRequest, RefreshSecurityUpdatePullRequest) already omit cooldown entirely—this fix aligns the shared code paths.

How will you know you've accomplished your goal?

Added tests in update_all_versions_spec.rb verifying:

• Cooldown is NOT passed for security updates even when configured
• Cooldown IS passed for version updates when configured

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.launchpad.net
  • Triggering command: /usr/bin/add-apt-repository add-apt-repository -y ppa:git-core/ppa grep rity.crt -q la/emSign_Root_CA_-_G1.crt e u3_amd64.deb (dns block)
• ports.ubuntu.com
  • Triggering command: /usr/lib/apt/methods/http /usr/lib/apt/methods/http (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Security updates are using cooldown</issue_title>
<issue_description>### Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

11.6.1

Language version

Node v24.11.0

Manifest location and content before the Dependabot update

Not really sure this is the correct repo where to raise this issue.

dependabot.yml content

version: 2
updates:
  - package-ecosystem: 'github-actions'
    directory: '/'
    schedule:
      interval: weekly

  - package-ecosystem: cargo
    directory: '/'
    schedule:
      interval: weekly
    cooldown:
      default-days: 30

  - package-ecosystem: npm
    directory: '/'
    schedule:
      interval: weekly
    cooldown:
      default-days: 30
    allow:
      - dependency-type: all
    ignore:
      - dependency-name: '@dfinity/*'
      - dependency-name: '@icp-sdk/*'
      - dependency-name: '@types/*'
      - dependency-name: 'typescript'
    open-pull-requests-limit: 10
    groups:
      solana-kit:
        patterns:
          - '@solana-program/compute-budget'
          - '@solana-program/system'
          - '@solana-program/token'
          - '@solana-program/token-2022'
          - '@solana/kit'
      vitest-group:
        patterns:
          - 'vitest'
          - 'vitest-mock-extended'
          - '@vitest/coverage-v8'

What you expected to see, versus what you actually saw

Basically, dependabot is running the security updates for @sveltejs/kit, but when it runs the auto-update triggered by the security, the job, it still uses the cooldown option:

updater | 2026/01/19 13:10:16 INFO <job_1213272248> Checking if @sveltejs/kit 2.49.2 needs updating
  proxy | 2026/01/19 13:10:16 [037] GET https://registry.npmjs.org/@sveltejs%2Fkit
  proxy | 2026/01/19 13:10:16 [037] 200 https://registry.npmjs.org/@sveltejs%2Fkit
updater | 2026/01/19 13:10:16 INFO <job_1213272248> Filtered out 4 versions due to cooldown
  proxy | 2026/01/19 13:10:16 [041] HEAD https://registry.npmjs.org/@sveltejs/kit/-/kit-2.50.0.tgz
  proxy | 2026/01/19 13:10:16 [041] 200 https://registry.npmjs.org/@sveltejs/kit/-/kit-2.50.0.tgz

while in the cooldown documentation is written:

The cooldown option is only available for version updates, not security updates.

Furthermore, the dependency graph returns an error (even if the job concluded successfully):

Security update 1213277249
Errored with the message "Dependabot cannot update to the required version"
No PRs affected 16 minutes ago view logs
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Security updates are using cooldown #13979

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.