| ▲ | cowl 7 hours ago | |||||||
min release age to 7 days about patch releases exposes you to the other side of the coin, you have an open 7 days window on zero-day exploits that might be fixed in a security release | ||||||||
| ▲ | CGamesPlay 3 hours ago | parent | next [-] | |||||||
The packages that are actually compromised are yanked, but I assume you're talking about a scenario more like log4shell. In that case, you can just disable the config to install the update, then re-enable in 7 days. Given that compromised packages are uploaded all the time and zero-day vulnerabilities are comparatively less common, I'd say it's the right call. | ||||||||
| ||||||||
| ▲ | n_e 4 hours ago | parent | prev | next [-] | |||||||
I haven't checked, but it would be surprising that the min-release-age applies to npm audit and equivalent commands | ||||||||
| ▲ | tytho 4 hours ago | parent | prev | next [-] | |||||||
At least with pnpm, you can specify minimumReleaseAgeExclude, temporarily until the time passes. I imagine the other package managers have similar options. | ||||||||
| ▲ | aetherspawn 4 hours ago | parent | prev | next [-] | |||||||
Not really an issue though right because virtually none of these have lasted more than 1-2 days before being discovered? | ||||||||
| ▲ | ksnssjsjsj 7 hours ago | parent | prev | next [-] | |||||||
Out of the frying pan and into the frier..... | ||||||||
| ▲ | freedomben 4 hours ago | parent | prev [-] | |||||||
Exactly what I thought too when I read this... Urgent fix, patch released, invisible to dev team cause they put in a 7 day wait. Now our app is vulnerable for up to 7 days longer than needed (assuming daily deploys. If less often, pad accordingly). Not a great excuse as to why the company shipped an "updated" version of the app with a standing CVE in it. "Sorry we were blinded to the critical fix because set an arbitrary local setting to ignore updates until they are 7 days old". I wouldn't fire people over that, but we'd definitely be doing some internal training. | ||||||||