This x 1000

I’ve been screaming this from the rooftops. Impact is what was always important. No one is going to take down prod to do an emergency patch on an RCE that COULD NEVER ACTUALLY BE EXPLOITED.

I feel like we’re witnessing the result of multiple roles suddenly becoming security aware but not having the background or understanding to make any sense of it.

▲

cpuguy83 4 hours ago | parent [-]

In an ideal universe yes. But we live in a world where vulnerability scanners reign supreme.

	▲	jamesfinlayson 3 hours ago \| parent [-]
		Yep, I've updated dependencies with an RCE that can't be exploited in my codebase just to keep my security team happy. Not worth the multiple arguments about it not actually being an issue.