Comment by cluckindan 4 days ago Just use dependency cooldown. It will mitigate a lot of risk. 3 comments cluckindan Reply yoavm 4 days ago If you started your Node project yesterday, wouldn't that mean you'd get the fix later? flexd 4 days ago no, because if you used dependency cooldown you wouldn't be using the latest version when you start your project, you would be using the one that is <cooldown period> days/versions oldedit: but if that's also compromised earlier... \o/ cluckindan 4 days ago Obviously you bypass the cooldown to fix critical issues.
yoavm 4 days ago If you started your Node project yesterday, wouldn't that mean you'd get the fix later? flexd 4 days ago no, because if you used dependency cooldown you wouldn't be using the latest version when you start your project, you would be using the one that is <cooldown period> days/versions oldedit: but if that's also compromised earlier... \o/ cluckindan 4 days ago Obviously you bypass the cooldown to fix critical issues.
flexd 4 days ago no, because if you used dependency cooldown you wouldn't be using the latest version when you start your project, you would be using the one that is <cooldown period> days/versions oldedit: but if that's also compromised earlier... \o/
If you started your Node project yesterday, wouldn't that mean you'd get the fix later?
no, because if you used dependency cooldown you wouldn't be using the latest version when you start your project, you would be using the one that is <cooldown period> days/versions old
edit: but if that's also compromised earlier... \o/
Obviously you bypass the cooldown to fix critical issues.