[chaps]

Your question feels insane to me for production environments. Why aren't you doing a version cutoff of your packages and either pulling them from some network/local cache or baking them into your images?

[AntiUSAbah]

I don't just run a java spring boot application. I run other things on my production system.

It doesn't matter much were i pull them from though, i only do this with packages which have plenty of dependencies and i don't want to assemble my own minimal image.

[arandomhuman]

Aforementioned security vulnerabilities don’t strike as a potential reason to you?

[chaps]

Friend, considering the supply chain attacks going on these days, automatically updating everything, immediately, probably isn't the perfect move either.

[bluGill]

You need to automatically update from a trusted source. That source better audit and update constantly. Which is hard.

[LtWorf]

Stable distributions have security teams.

[askl]

Ignoring the real benefits of security updates to prevent the unlikely event of supply chain attacks sounds like a weird tradeoff.

[chaps]

A weird tradeoff but an increasingly important tradeoff to keep in mind nonetheless. Like I said, updating immediately isn't a perfect answer. But neither is waiting. I hope you're having this discussion, at least.

[pavon]

That local cache is often implemented as a drop-in replacement for the upstream package repository, and packages are still installed with the same package manager (yum,apt,pip,npm).

[chaps]

No, this is not always the case. Regulated industries pin their package versions and store those versions for pulling.