Comment by woodruffw

The article assumes that engineers have the technical wherewithal to know when they should manually upgrade their dependencies!

Clearly I should have mentioned that Dependabot (and probably others) don't consider cooldown when suggesting security upgrades. That's documented here[1].

[1]: https://docs.github.com/en/code-security/dependabot/working-...