| ▲ | nicoburns 9 hours ago | |
I would like to see a variant of this that is based on a manual review/audit process rather than a time-based cooldown. Something like, upgrade once there are N independent positive reviews AND less than M negative reviews (where you can configure which people are organisations you trust to audit). And of course you would be able to audit dependencies yourself (and make your review available for others). | ||
| ▲ | testplzignore 6 hours ago | parent [-] | |
I've been wanting something like this for years. It's simply impossible for millions of companies to individually review the thousands of updates made to their thousands of dependencies every day. Imagine a world where every software update has hundreds of signoffs from companies across the industry. That is achievable if we work together. For only a few minutes a day, you too can save a CVSS 10.0 vulnerability from going unpatched :) | ||