[dalf]

What if the new node version fix an bug / issue / CVE that doesn't concern the software ?

Is it resonable to postpone the upgrade for later ?

Example : the software uses python requests. A new version fixes CVE-2018-18074 about Authorization header, but you don't use this header, for sure. Is it resonable to upgrade a little bit later ?

[viraptor]

Depends on how mature is your security team/process. Can you spend time tracking separate announced bugs and make case by case decision for each cve? How much would you trust that review? Do you review dependencies which may trigger the same issue?

Or is it going to take less time/effort to upgrade each time?

Or is the code so trivial you can immediately make the decision to skip that patch?

There's no perfect answer - you have to decide what's reasonable for your teams.

[nerdbeere]

The cool thing about serverless infrastructure is that it does not really concern you. As long as you are on a maintained version of the underlying platform your provider will take care of the updates.

If your software runs on a unmaintained platform there won't be any security fixes and that's why amazon forces you to upgrade at some point.

[ldoughty]

AWS, at least, didn't make any promises for updates for serverless Lambda that I can see in their docs.

[nerdbeere]

Right, because it's not relevant to you. You don't care about the underlying infrastructure in terms of security, amazon does that for you.