So what do we do? Pin our dependencies (to hashes when possible), and only update when there are CVE...

clbrmbr • today at 10:45 AM • 2 replies • view on HN

So what do we do? Pin our dependencies (to hashes when possible), and only update when there are CVEs?

But problem is this could lead to abuse of the CVE system to try to force rapid adoption of attacked packages. What prevents this?

papichulo2023 • today at 10:56 AM

Run everything as sudo so they cant escalate any further ;)

➕ show 1 reply

throawayonthe • today at 10:47 AM

Nothing :D

alt Hacker News