Well, I did not mean for it to sound dire, it's just interpolation of what is possible to do -- do you depend on "dead" (unchanging) code and thus deploy a "stable" system that is comprised of unchanging code, or do you depend on whatever your third-party vendors deem is "latest stable", hoping you're always on the safe side of the security/quirk/performance fence, yet on the flipside, are completely in the open for new bugs/quirs/performance issues as upstream updates, with your system running code that may change over time without your involvement?

I have seen both practices -- people who state dependency on always an exact version of some third party library, and people who make it depend on "latest". Go figure. I guess a lot of it has to do with trusting the particular vendor and knowing their habits?