| ▲ | abalone 7 hours ago | |
Sure, but there's an obvious tradeoff: You're also delaying the uptake of fixes for zero-day vulnerabilities. The article does not discuss this tradeoff. | ||
| ▲ | woodruffw 6 hours ago | parent | next [-] | |
The article assumes that engineers have the technical wherewithal to know when they should manually upgrade their dependencies! Clearly I should have mentioned that Dependabot (and probably others) don't consider cooldown when suggesting security upgrades. That's documented here[1]. [1]: https://docs.github.com/en/code-security/dependabot/working-... | ||
| ▲ | awesome_dude 6 hours ago | parent | prev [-] | |
Ye Olde "Cache Invalidation" problems really Instead of updating the cache of dependencies you have immediately, the suggestion is to use the cooldown to wait.... As you point out, this means that you have a stale cache member has a critical fix applied. Next week's solution - have a dependency management tool that alerts you when critical fixes are created upstream for dependencies you have Followed by - now the zero day authors are publishing their stuff as critical fixes... Hilarity ensues | ||