|
|
|
|
|
|
by dns_snek
13 days ago
|
|
|
> Have you rolled the numbers, vs all of the high-pri security updates that will be missed on day one, and exploited? (Different person here) I don't have data and I don't think I need it. You either have a process to push security-critical updates out very rapidly or you don't. If you have that process then nothing changes for you because that cooldown won't be used in that context. If you don't have that process then nothing changes for you because you weren't pushing out those time-sensitive patches to begin with. But now you won't get hit by drive-by supply chain attacks. The vast majority of "high severity vulnerabilities" in your dependencies are just noise by the virtue of not being exploitable in the manner that they're used in your project. |
|
|