Clarify that dependabot ignores cooldown for security updates

jsoref · web-flow · commit e9ba8c7c28e7 · 2026-04-10T12:56:28.000-04:00
diff --git a/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md b/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md
@@ -60,7 +60,7 @@ See also [schedule](/code-security/dependabot/working-with-dependabot/dependabot
 
 ### Setting up a cooldown period for dependency updates
 
-You can use  `cooldown` with a combination of options to control when {% data variables.product.prodname_dependabot %} creates pull requests for **version updates**.
+You can use  `cooldown` with a combination of options to control when {% data variables.product.prodname_dependabot %} creates pull requests for **version updates** (but not _security_ updates).
 
 The example `dependabot.yml` file below shows a cooldown period being applied to the dependencies `requests`, `numpy`, and those prefixed with `pandas` or `django`, but not to the dependency called `pandas` (exact match), which is excluded via the **exclude** list.
 
