[Sohcahtoa82]

> At a certain point, is it better to just turn off Dependabot and freeze all NPM packages (minor/patch version and all), rather than continuously update?

But then the compliance team gets annoyed because some CVE with a CVSS score of 3.1 that has a patch available sits unfixed.

[btown]

I wonder if the only thing that will solve this is an insurer or regulator saying that: "A system that automatically pulls updates for dependencies without human review, where said updates are not protected by multi-factor authentication by their respective maintainers, shall not be considered secure."

That would wake NPM up at least to the notion that it's absolutely reasonable to require OSS maintainers to press a button on their phones when releases go out, and that's a good thing not a bad thing.

[DeliciousSeaCow]

Pretty much what the EU Cyber Resiliency Act says re: OSS due diligence, actually.

[lovich]

The core problem is companies skimping on maintenance.

They don’t want to pay engineers to do the analysis manually, and they don’t want to pay for someone to figure out a better automated system.

Would anyone be surprised at their car having problems if they cheaped out on oil changes?