Pinning dependencies also means you're missing any security fixes that come in after your pinned versions. That's asking for trouble too, so you need a mechanism by which you become aware of these fixes and either backport them or upgrade to versions containing them.

▲

yen223 3 hours ago | parent | next [-]

Things like dependabot or renovate solves the problem of letting you know when security updates are available, letting you have your cake and eat it too.

▲

kjkjadksj 6 hours ago | parent | prev [-]

All code is fundamentally not ever secure.

▲

apstls 6 hours ago | parent | next [-]

This statement is one of those useless exercises in pedantry like when people say "well technically coffee is a drug too, so..."

Code with publicly-known weaknesses poses exponentially more danger than code with unknown weaknesses.

It's like telling sysadmins to not waste time installing security patches because there are likely still vulnerabilities in the application. Great way to get n-day'd into a ransomware payment.

	▲	nightpool 5 hours ago \| parent [-]
		Have you spent time reviewing the security patches for any nontrivial application recently? 90% of them are worthless, the 10% that are actually useful are pretty easy to spot. It's not as big of a deal as people would like to have you think.

▲

da_chicken 6 hours ago | parent | prev [-]

That's why I run Windows 7. It's going to be insecure anyways so what's the big deal?