From e9ba8c7c28e7b50aa2a348e722f4b5336e234fd7 Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Fri, 10 Apr 2026 12:56:28 -0400
Subject: [PATCH] Clarify that dependabot ignores cooldown for security updates

---
 .../optimizing-pr-creation-version-updates.md                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md b/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md
index 0f39d0ebba1f..e80e0ab1c0a9 100644
--- a/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md
+++ b/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md
@@ -60,7 +60,7 @@ See also [schedule](/code-security/dependabot/working-with-dependabot/dependabot
 
 ### Setting up a cooldown period for dependency updates
 
-You can use  `cooldown` with a combination of options to control when {% data variables.product.prodname_dependabot %} creates pull requests for **version updates**.
+You can use  `cooldown` with a combination of options to control when {% data variables.product.prodname_dependabot %} creates pull requests for **version updates** (but not _security_ updates).
 
 The example `dependabot.yml` file below shows a cooldown period being applied to the dependencies `requests`, `numpy`, and those prefixed with `pandas` or `django`, but not to the dependency called `pandas` (exact match), which is excluded via the **exclude** list.