| ▲ | ori_b 2 hours ago | |
I see, may the people who are responsible for the infrastructure you depend on be less concerned about shifting blame than you are. | ||
| ▲ | john_strinlai 2 hours ago | parent [-] | |
imagine you use a dependency in your code. like left-pad. and some vulnerability is found in left-pad. is the reporter of that vulnerability responsible for finding and submitting a vulnerability report to every single piece of software that uses left-pad? all ~millions of them? or do they submit the report to left-pad, get them to fix it at the source, and trust that the people relying on left-pad will update their software like they should when they see a security-relevant update is available? | ||