https://calpaterson.com/deps.html
Article
-
Argues delaying dependency updates makes you a free-rider on others who catch supply chain attacks
-
Proposes “Upload Queues” — mandatory holding periods on package registries before publication
-
Shifts the burden to registries/publishers rather than individual teams
Discussion
-
tptacek not present; debate centers on whether cooldowns shift risk or just delay it
-
Counter: staged rollouts are net positive for society even if asymmetric
-
CVE exception problem: security patches need fast paths, which attackers could exploit
-
Audit-sharing proposed as better alternative — cooldown ends when someone publishes a review
Discuss on HN
