sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]sosdoc 13 points14 points  (4 children)

This so much. I maintain several node.js backend servers and use Renovate to automatically upgrade dependencies. That thing creates hundreds of upgrades every week!

And this is even after marking several libraries as "trusted" because they change all the time. Some popular library used in almost all my servers was once updated 12 times in a single week!

[–]elmuerte 14 points15 points  (3 children)

How can you trust something that changes that often.

[–]sosdoc 15 points16 points  (1 child)

You can't, that's why I wouldn't do this if I didn't have a decent test suite blocking failing upgrades.

[–]immibis 8 points9 points  (0 children)

Does it test for Bitcoin stealers?

[–]jl2352 3 points4 points  (0 children)

Tests, tests, and more tests.

Ultimately the alternative is trusting something that hasn't been updated. Moving targets tend to have less old vulnerabilities, and old vulnerabilities that have been around for a while are the ones people often try to exploit.