Your question feels insane to me for production environments. Why aren't you doing a version cutoff of your packages and either pulling them from some network/local cache or baking them into your images?

▲

pavon 2 hours ago | parent | next [-]

That local cache is often implemented as a drop-in replacement for the upstream package repository, and packages are still installed with the same package manager (yum,apt,pip,npm).

▲

arandomhuman 2 hours ago | parent | prev [-]

Aforementioned security vulnerabilities don’t strike as a potential reason to you?

▲

chaps 2 hours ago | parent [-]

Friend, considering the supply chain attacks going on these days, automatically updating everything, immediately, probably isn't the perfect move either.

	▲	bluGill 2 hours ago \| parent \| next [-]
		You need to automatically update from a trusted source. That source better audit and update constantly. Which is hard.
	▲	askl 2 hours ago \| parent \| prev [-]
		Ignoring the real benefits of security updates to prevent the unlikely event of supply chain attacks sounds like a weird tradeoff.