Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Now you have the opposite problem, where a vulnerability could be found in one of your dependencies but you don't get the fix until the next "normal time that you verify that your program actually needs the update".




If a security issue is found that creates the "normal time".

That is, when a security issue is found, regardless of supply chain tooling one would update.

That there is a little cache/mirror thing in the middle is of little consequence in that case.

And for all other cases the blessed versions in your mirror are better even if not latest.

reply


This is how most software used to work before internet package managers, and it turns out that the same people who aren't good at checking their dependencies before automatically upgrading are also not good at constantly monitoring their dependencies for vulnerabilities.

reply




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: