Slow Russian roulette is still a losing strategy

It’s only a losing strategy if you assume everyone universally adopts the slow strategy, and no research teams spot it in the interim. For things with large splash radius, that’s unrealistic, so defenders have an information advantage.

Makes actual security patches tougher to roll out though - you need to be vigilant to bypass the slowdown when you’re actually fixing a critical flaw. But nobody said this would be easy!

	▲	esseph 12 hours ago \| parent [-]
		> Makes actual security patches tougher to roll out though Yeah. 7 days in 2026 is a LONG TIME for security patches, especially for anything public facing. Stuck between a rock (dependency compromise) and a hard place (legitimate security vulnerabilities). Doesn't seem like a viable long-term solution.

▲

neko_ranger 13 hours ago | parent | prev [-]

but wouldn't it work in this case? sure if a package was compromised for months/years it wouldn't save you

but tell dependabot to delay a week, you'd sleep easy from this nonesense

	▲	tonymet 2 hours ago \| parent [-]
		slowly walking through a minefield isn’t any safer than running. So unless you’re saying the extra time will be spent inspecting every package, whenever you do update, you will be getting an insecure package. You’re not safe by dodging axios. There are currently thousands of breached packages ready to install that aren’t notable. “I’ll run npm install after checking twitter” won’t help