←back to thread

Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)

463 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0.208s | source

Show context

joshdavham ◴[20 Sep 25 03:38 UTC] No.45310108[source]▶

>>45307242 (OP) #

There’s some advice that’s been going around lately that I’ve been having trouble understanding: the idea that you should not be updating your dependencies when new patches are released (e.g., X.X.PATCH).

I understand that not updating your dependencies when new patches are released reduces the chance of accidentally installing malware, but aren’t patches regularly released in order to improve security? Wouldn’t it generally be considered unwise to not install new patches?

replies(5): >>45310532 #>>45310696 #>>45311618 #>>45312565 #>>45312936 #

1. flanbiscuit ◴[20 Sep 25 05:00 UTC] No.45310532[source]▶

I believe it's about waiting a bit before a new patch is released, not fully avoiding installing updates. Seems like compromises are being caught quickly these days, usually within hours. There are multiple companies monitoring npm package releases because they sell security scanning products and so it's part of their business to be on top of it.

pnpm has a setting that you can tell it that a package needs to be at least X minutes old in order to install it. I would wait at least 24 hours just to be safe

https://pnpm.io/settings#minimumreleaseage