Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sure, but there's an obvious tradeoff: You're also delaying the uptake of fixes for zero-day vulnerabilities.

The article does not discuss this tradeoff.



The article assumes that engineers have the technical wherewithal to know when they should manually upgrade their dependencies!

Clearly I should have mentioned that Dependabot (and probably others) don't consider cooldown when suggesting security upgrades. That's documented here[1].

[1]: https://docs.github.com/en/code-security/dependabot/working-...


Ye Olde "Cache Invalidation" problems really

Instead of updating the cache of dependencies you have immediately, the suggestion is to use the cooldown to wait....

As you point out, this means that you have a stale cache member has a critical fix applied.

Next week's solution - have a dependency management tool that alerts you when critical fixes are created upstream for dependencies you have

Followed by - now the zero day authors are publishing their stuff as critical fixes...

Hilarity ensues




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: