This is literally EXACTLY how releases are supposed to work for companies using any package manager out there.
A number of [employees] who pay attention to what's going on upstream package software for users. When something gets weird these [employees] change their behavior and prevent the users from being harmed.
The problem is - much like a church with elders (and linux distros - frankly) - quality varies dramatically.
Some of them prevent people from being captured by vices, some of them diddle the kids.
Same here: Some companies take the appropriate steps to lock down dependencies and only update after a thorough vetting. Some pull the latest packages on every push to master.
A number of [employees] who pay attention to what's going on upstream package software for users. When something gets weird these [employees] change their behavior and prevent the users from being harmed.
The problem is - much like a church with elders (and linux distros - frankly) - quality varies dramatically.
Some of them prevent people from being captured by vices, some of them diddle the kids.
Same here: Some companies take the appropriate steps to lock down dependencies and only update after a thorough vetting. Some pull the latest packages on every push to master.