Comment by fragmede
17 hours ago
But how do you know which one is good? If foo package sends out an announcement that v1.4.3 was hacked, upgrade now to v1.4.4 and you're on v1.4.3, waiting a week seems like a bad idea. But if the hackers are the one sending the announcement, then you'd really want to wait the week!
malicious versions are recalled and removed when caught - so you don't need to update to the next version
An announcement isn't a quiet action. One would hope that the real maintainers would notice & take action.