Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We are freezing our dependencies and aiming at almost never upgrading or updating things when possible. We rarely need the new things these modules come with in newer versions especially because some enhancements are security concern disguised as features.

It seems that in the past 2 years people became more pissed about the current state of things than normal. Since fakerjs incident I no longer trust maintainers by default.

You know how some people get very funny in the head discussing politics? This seems to be entering the field of programming bit by bit after programmers slowly realized they are the ones who shape the world. Some people don't know how to handle that level of responsibility so they see 'contributing' as a means to having a lot of power so that when something pokes them wrong they can unleash all their anger and it's not on a 140-character tweet that does nothing and instead it is on all the companies they managed to hold ransom over the free work he was going over the time people were treating him right.




> We are freezing our dependencies and aiming at almost never upgrading or updating things when possible.

I think this is an equally bad idea. The supply-chain attacks make the news, but getting pwned because of a known vuln in some dependency is a regular occurrence. That 10 year old OpenSSL binary is bad news.


This plus when a vulnerability is discovered and you are a million versions behind facing practically a ground up rewrite to get back to API compatible it is extremely hard to deal with. There is some balance to be had by waiting for things to become tested and stable rather than always defaulting to the bleeding edge, and maintaining a reasonable cadence of dependency management. You don’t always need to be on the latest version but you always need to be ready to be on the latest version




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: