(obsidian.md)

421 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0.202s | source

Show context

joshdavham ◴[20 Sep 25 03:38 UTC] No.45310108[source]▶

There’s some advice that’s been going around lately that I’ve been having trouble understanding: the idea that you should not be updating your dependencies when new patches are released (e.g., X.X.PATCH).

I understand that not updating your dependencies when new patches are released reduces the chance of accidentally installing malware, but aren’t patches regularly released in order to improve security? Wouldn’t it generally be considered unwise to not install new patches?

replies(5): >>45310532 #>>45310696 #>>45311618 #>>45312565 #>>45312936 #

1. junon ◴[20 Sep 25 08:51 UTC] No.45311618[source]▶

>>45310108 #

The attack that hit my packages two weeks ago was a patch release, taking advantage of this exact assumption. Wasn't a Post-Install script either.

With all of the latest in automated scanning and whatnot, this is more or less a moot point. You'll know when a package is vulnerable, and the alarm bells are loud and unambiguous. I really agree, and have always pushed the point, that version ranges are the worst things you can have if you care about supply chain attacks.

↑

Less is safer: How Obsidian reduces the risk of supply chain attacks