Hacker News new | ask | show | jobs
by nylonstrung 276 days ago
How much supply chain vulnerability can be mitigated just by pinning known safe versions of dependencies

Did anyone need the newest xz version in the first place? What negative tradeoffs would have come from pinning a 2022 release for example
1 comments
deafpolygon 276 days ago
Depends on the pinned version. The pinned version might even have vulnerabilities themselves. The problem is trusting the ecosystem.
link