[charcircuit]

>Obviously we can’t go around updating open source code, just because the security team in our company told us.

This isn't obvious to me. Most open source projects accept contribution from others.

[woutr_be]

> This isn't obvious to me. Most open source projects accept contribution from others.

Of course they do, and I'm more than happy to help with open source projects. My point was that, we can't do it, just because a security review at my company says so. It's not just as simple as updating the version of the affected package, there's also testing involved, potentially fixing issues due to using a later version. This would almost be a full-time job.

[Macha]

Who says it's important to that maintainer that their project used as a build time dependency has a vulnerability if provided untrusted user input?

What if it requires major upgrades of their framework or toolchain they don't want someone doing drive by?

What if they require a CLA that your legal team won't let you sign?