Comment by time4tea

Been saying this for years!

All the security theatre!

False urgency is red flag when it comes to emails and sms.. I dont see why people don't see the same when it comes to dependency alerts.

The vast vast majority of alerts are totally useless, when it comes to your actual deployed system, unexploitable and irrelevant.

Rushing to update causes make-work, churn and loss of focus on the real.

Don't get me wrong, I love secure systems, but dependency theatre doesn't make it.

Very very occasionally, you'll get a high priority signal, and then yes act on it immediately. Your deployment systems should be designed so that this is just another release. No expedited short cuts, just another day.

Reducing dependencies, defense in depth, validation, type-safe, null-safe languages etc all good.. endless dependabot PRs with no understanding of the reason or impact, bad.