You Should Not Update Your Dependencies

Summary

The simpler times… Rare historical photograph of a SysAdmin, an ancient species that would later evolve into modern DevOps, circa January 1999. The specimen, barely containing his excitement at the release of Linux 2.2 and the prospect of the upcoming LinuxWorld Expo, is performing the bi-yearly software patching ritual in production with his obligate mutualist (colloquially known as "the software vendor sales dude"). I started in tech in the late 90s after dropping out of college. My first metal server got compromised in two weeks. (Yes, phpMyAdmin . Yes, unpatched. Yes, still ashamed.) Literally the first thing we deeply internalized in that era was to "very carefully review what you depend on, read all changelogs and patches, apply timely, always be up to date". Pretty sure that sounds quaint, even alien, to most of the npm-dependabot-trigger-happy folks… Nowadays, in the face of a sweeping, seemingly insurmountable onslaught of devastating supply chain incidents, some package managers started recommending to not update dependencies before a certain number of days (just to make sure, you know, that the idiots who go in front of you pay the price and spot the issues first…). What has long been a staple of basic software security hygiene and vernacular wisdom is now considered harmful: do not update too soon, or expose yourself to ongoing supply chain attacks. Of course, not upgrading does expose you to active campaigns against (technically patched) upstream CVEs. Damned if you do. Damned if you don't. The old operating model was indeed fine in a much smaller, simpler tech world, in a more controlled and siloed environment, where you would depend on a handful of formally defined vendors that you could manually vet, and where complex supply chain issues and larger-than-life dependencies list were… not even a sci-fi concept. The massive shift towards open-source over the past two to three decades (in part sustained by a better security story: "you benefit from much b...