[balibebas]

If something looks innocuous a diligent engineer will review it twice as hard. I used to fail reviews on one-liners during my professional years with people around me asking me what's taking so long—it's just one line of code.

[atom_arranger]

Well there's definitely a conflict between trying to get things done quickly and reviewing things thoroughly in most development jobs.

You have to weigh the risk of going out of business because you didn't deliver value fast enough vs. the risk of having a security incident.

In the Node ecosystem there are SAAS products (https://greenkeeper.io/) that will automatically update your dependencies, run your tests, and merge in the updates (that line change I showed is an example of what it would look like) if the tests pass. That shows you how much thought Node/JS developers put into upgrading their dependencies.

The event-stream update would be done automatically in this instance because the code still worked, although it was compromised.