> I upgrade all dependencies every time I deploy anything. If you don't, a zero day is going to bite you in the ass: that's the world we now live in.

I think you're using a different definition of zero day than what is standard. Any zero day vulnerability is not going to have a patch you can get with an update.

▲

jcalvinowens 9 hours ago | parent [-]

Zero days often get fixed sooner than seven days. If you wait seven days, you're pointlessly vulnerable.

▲

saurik 8 hours ago | parent [-]

Only if you already upgraded to the one with the bug in it, and then only if you ignore "this patch is actually different: read this notice and deploy it immediately". The argument is not "never update quickly": it is don't routinely deploy updates constantly that are not known to be high priority fixes.

▲

jcalvinowens 7 hours ago | parent [-]

> The argument is not "never update quickly": it is don't routinely deploy updates constantly that are not known to be high priority fixes.

Yes. I'm saying that's wrong.

The default should always be to upgrade to new upstream releases immediately. Only in exceptional cases should things be held back.

	▲	saurik 2 hours ago \| parent \| next [-]
		But that isn't what you said? ;P "f you wait seven days, you're pointlessly vulnerable." <- this is clearly a straw man, as no one is saying you'd wait seven days to deploy THAT patch... but, if some new configuration file feature is added, or it is ported to a new architecture you aren't using--aka, the 99.99% of patches--you don't deploy THOSE patches for a while (and I'd argue seven days is way way too small) until you get a feel that it isn't a supply chain attack (or what will become a zero day). Every now and then, someone tries to fix a serious bug... most of the time, you are just rolling the die on adding a new bug that someone can quickly find and exploit you using.
	▲	2 hours ago \| parent \| prev [-]
		[deleted]