Comment by nylonstrung
8 months ago
How much supply chain vulnerability can be mitigated just by pinning known safe versions of dependencies
Did anyone need the newest xz version in the first place? What negative tradeoffs would have come from pinning a 2022 release for example
Depends on the pinned version. The pinned version might even have vulnerabilities themselves. The problem is trusting the ecosystem.