| ▲ | mjr00 9 hours ago |
| While you're right, I can only think of twice in my career where there was a "code red all services must update now", which were log4shell and spectre/meltdown (which were a bit different anyway). I just don't think this comes up enough in practice to be worth optimizing for. |
|
| ▲ | wowohwow 9 hours ago | parent | next [-] |
| You have not been in the field very long than I presume? There's multiple per year that require all hands on deck depending on your tech stack. Just look at the recent NPM supply chain attacks. |
| |
| ▲ | mjr00 9 hours ago | parent | next [-] | | You presume very incorrectly to say the least. The npm supply chain attacks were only an issue if you don't use lock files. In fact they were a great example of why you shouldn't blindly upgrade to the latest packages when they are available. | | |
| ▲ | wowohwow 9 hours ago | parent | next [-] | | Fair enough, which is why I called out my assumption:). I'm referring to the all hands on deck nature of responding to security issues not the best practice. For many, the NPM issue was an all hands on deck. | |
| ▲ | stavros 7 hours ago | parent | prev [-] | | Wait what? I've been wondering why people have been fussing over supply chain vulnerabilities, but I thought they mostly meant "we don't want to get unlucky and upgrade, merge the PR, test, and build the container before the malicious commit is pushed". Who doesn't use lockfiles? Aren't they the default everywhere now? I really thought npm uses them by default. |
| |
| ▲ | Aeolun 7 hours ago | parent | prev [-] | | We use pretty much the entire nodejs ecosystem, and only the very latest Next.js vulnerability was an all hands on deck vulnerability. That’s taken over the past 7 years. |
|
|
| ▲ | zhivota 7 hours ago | parent | prev [-] |
| I mean I just participated in a Next JS incident that required it this week. It has been rare over the years but I suspect it's getting less rare as supply chain attacks become more sophisticated (hiding their attack more carefully than at present and waiting longer to spring it). |
| |
| ▲ | Aeolun 7 hours ago | parent [-] | | NextJS was just bog standard “we designed an insecure API and now everyone can do RCE” though. Everyone has been able to exploit that for ages. It only became a problem when it was discovered and publicised. |
|
