Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
johtso
34 days ago
|
parent
|
context
|
favorite
| on:
Shai-Hulud malware attack: Tinycolor and over 40 N...
Maybe one approach would be to pin all dependencies, and not use any new version of a package until it reaches a certain age. That would hopefully be enough time for any issues to be discovered?
rapfaria
34 days ago
|
next
[–]
People living on the latest packages with their dependabots never made any sense to me, ADR. They trusted their system too much
LtWorf
34 days ago
|
parent
|
next
[–]
If you don't review the pinned versions, it makes no difference.
pfych
34 days ago
|
prev
[–]
Packages can still be updated, even if pinned. If a dependency of a dependency is not pinned - it can still be updated.
Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
