that's why I always implement encryption myself and never update anything
this post was submitted on 18 Apr 2026
73 points (92.9% liked)
Technology
84256 readers
3757 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Not Invented Here includes the whole stack, including the operating system and the hardware
I’m not buying this. Sure minimizing dependencies is a good practice, but not updating? That’s a recipe for disaster.
It’s important to note that you can’t predict supply chain attacks or vulnerabilities, and vulnerabilities are much more common. Also, while frequent updates might expose you to that supply chain attack more quickly, it also mitigates it more quickly. Frequent updates in combination with vulnerability scanning, and limiting downloads to reputable sources (that try to prevent supply chain attacks and discover them quickly) is a much better approach.
There also the maintainability argument, that I’m having right now with a couple of our legacy software teams. Not updating can lock you into the past, for entire ecosystems of dependencies. You cant update if you have to, you cant take advantage of new features anywhere in the ecosystem, and it’s now an expensive emergency when something stops being maintained or has an unresolved vulnerability. If you’re being continually kept up, then choices or features are easy
Then the goal is how do you automate your updates as smoothly as possible so they do not become noise, do not create extra work? Tools like dependabit and renovate bot have a lot of config options to help that
not updating? That’s a recipe for disaster.
Not blindly updating.
It's a different thing.
The careful reader may note that my title is not quite accurate. It’s not every dependency you add that’s a problem; it’s every dependency you update.
Why not put that in the title, Mr. Hoyt?
Every dependency you don’t update is a zero day waiting to happen. All software carries risk.
Every dependency you don’t update is a zero day waiting to happen. All software carries risk.
In the same breath you're advocating updating without checking, and saying why that's an issue. You ... realize that, right?
You're so close to realising the reason enterprise distros do backports.
you're advocating updating without checking,
Uh… no. That’s not what I said. I said there’s risk in both updating and not updating. You need to do the assessment to decide which one is best for the situation.
At this point just stop using a computing device
Only if you don't check when you update your deps.