Comment by tedivm

3 hours ago

This advice leaves you vulnerable to log4j style vulnerabilities that get discovered though.

The answer is a balance. Use Dependabot to keep dependencies up to date, but configure a dependency cooldown so you don't end up installing anything too new. A seven day cooldown would keep you from being vulnerable to these types of attacks.

1 comment

tedivm

Reply
SAI_Peregrinus  2 hours ago

Cooldowns only work if enough people don't use cooldowns (or don't use cooldowns longer than yours) for attacks to get noticed.