(obsidian.md)

474 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0.205s | source

Show context

joshdavham ◴[20 Sep 25 03:38 UTC] No.45310108[source]▶

There’s some advice that’s been going around lately that I’ve been having trouble understanding: the idea that you should not be updating your dependencies when new patches are released (e.g., X.X.PATCH).

I understand that not updating your dependencies when new patches are released reduces the chance of accidentally installing malware, but aren’t patches regularly released in order to improve security? Wouldn’t it generally be considered unwise to not install new patches?

replies(5): >>45310532 #>>45310696 #>>45311618 #>>45312565 #>>45312936 #

1. weinzierl ◴[20 Sep 25 11:58 UTC] No.45312565[source]▶

>>45310108 #

The tension between improvement or regression when updating is real and ubiquitous but it is worse for apps in the npm ecosystem (like Obsidian).

Not only is npm a prominent target but it also does not allow packages to be removed or blocked for usage without a human on their side in the loop.

The result is that they are slow to remove malicious packages and slowing down your own updates helps to mitigate this a little.

↑

Less is safer: How Obsidian reduces the risk of supply chain attacks