|
|
|
|
|
|
by jhutchings0
1519 days ago
|
|
|
Dependabot was created with the philosophy that staying up to date all the time is the best strategy. The main reason for that is because if you wait to update until there's a CVE, there's a chance that you'll be so far out of date that you'll have to sort out breaking changes in your dependencies when there's urgency. It's not a perfect strategy, since there's non-zero risk that the latest version was hijacked by a malicious user, but the chances of a hijacked dependency are much lower than the chances of relying on something with a known vulnerability. |
|
|