• acockworkorange@mander.xyz
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Do you really need to download new versions at every build? I thought it was common practice to use the oldest safe version of a dependency that offers the functionality you want. That way your project can run on less up to date systems.

    • treadful@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Okay, but are you still going to audit 200 individual dependencies even once?

    • baseless_discourse@mander.xyz
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      9 months ago

      Most softwares do not include detailed security fixes in the change log for people to check; and many of these security fixes are in dependencies, so it is unlikely to be documented by the software available to the end user.

      So most of the time, the safest “oldest safe” version is just the latest version.

      • acockworkorange@mander.xyz
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        9 months ago

        So only protects like Debian do security backports?

        Edit: why the downvote? Is this not something upstream developers do? Security fixes on older releases?

        • Kelly@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Backports for supported versions sure,.

          That’s why there is an incentive to limit support to latest and maybe one previous release, it saves on the backporting burden.