logoalt Hacker News

bfivyvysjtoday at 12:10 AM4 repliesview on HN

Why would you patch a security vuln in a later version? Should be patched in all versions.. that's what semver is for.

Replies

pavontoday at 2:47 AM

A patch updates is a newer version, and they are just as likely to be compromised by supply chain attacks as minor or major updates.

show 1 reply
raincoletoday at 1:56 AM

Who is 'you' here? All of the npm package maintainers?

Yes, if they all just backport security patches we'll be fine. No, people are not going to just.

jplegertoday at 1:03 AM

Ah yes the incredibly common practice of... checks notes backporting security packages in node packages.

kijintoday at 1:04 AM

Semver doesn't help if you just declare all older versions EOL.

What you're looking for are Debian stable packages. :p