alt Hacker NewsThat's a good point. For me it's getting people to realize they need to take up practice that help minimize these things. It's kinda us and them problem.
We need to ensure we don't just blindly install the latest, patch every CVE by just bumping everything to the latest even if the vulnerability has nothing to do with their system or use of said library.
We should have rules that we install the latest that's older than three days.
We should be running "npm audit" and other stuff like Trivy.
The three day rule alone could save most people.
> The three day rule alone could save most people.
The three day 'rule' is just you hoping that someone else does some free work for you. If it is adopted by everyone, it has zero effect.
We need rules that still work if people follow them.