I’m honestly at a point where I’m afraid to update any of my project’s dependencies, and I’m also afraid to run the locally without some locked down VM

▲

darkwi11ow a minute ago | parent | next [-]

I use Tanstack in my projects. Last week when Tanstack got compromised, it was only my laziness that saved me -- was thinking about doing pnpm upgrade but got lazy and played some dota... Finished game was just going to pnpm upgrade, opened hacker news and boom! news hit.

Since then, I had set up libvirt/qemu based VM with another Linux running in it specifically for development. Now I run all of docker, kubernetes, IDE, pnpm, uv, etc in that VM and removed them from host. The only write capable secret VM has access to, is my passphrase protected ssh key, which I can quickly revoke from my Github account in case of compromise. Feels much safer now.

▲

exiguus an hour ago | parent | prev [-]

I also was at this point, and I decided to add cooldowns to every project.

▲

fnoef an hour ago | parent [-]

Yeah, I agree, but then you are at the mercy of whatever vulnerability is found in the current version(s). It just feels like a lose-lose situation no matter what you do.

	▲	thrownthatway 6 minutes ago \| parent \| next [-]
		So long as we insist on everything from a light switch, the vacuum cleaner, security camera, clothes dryer, TV, car, and mobile phone being an always on, always online, Universal Turing Machine we’re not going to find a solution.
	▲	tpetry an hour ago \| parent \| prev [-]
		You can still update to new versions even if the new release is still in cooldown phase. You just have to be explicit that you want the new release. pnpm audit —fix for example will whitelist releases in cooldown phase when theres a known security issue for a version you currently use.