| ▲ | Ygg2 7 hours ago | |||||||
But you also need the latest versions to avoid zero-day attacks. | ||||||||
| ▲ | cesarb 2 hours ago | parent | next [-] | |||||||
Or an old enough version. For one of the most damaging zero-day vulnerabilities in the Java ecosystem (log4shell), you were vulnerable if you were in the latest version, but not vulnerable if you were using an old enough version. | ||||||||
| ▲ | lpribis 5 hours ago | parent | prev | next [-] | |||||||
99% of releases do NOT fix zero-days. But 100% of releases have a small risk of introducing a backdoored build-script. There's nothing wrong with pinning dependencies and only updating when you know for sure they're fixing a zero-day (as it will be public at that point). | ||||||||
| ▲ | zelphirkalt 5 hours ago | parent | prev | next [-] | |||||||
Zero-day on frontend has not really a y effect, except on one user at a time. Zero-day on a server though ... perhaps we arrive at the conclusion to not use the JS ecosystem on the server side. | ||||||||
| ▲ | nalekberov 6 hours ago | parent | prev [-] | |||||||
do zero-days even care about versions? | ||||||||
| ||||||||