How much supply chain vulnerability can be mitigated just by pinning known safe ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nylonstrung 3 months ago \| parent \| context \| favorite \| on: Less is safer: Reducing the risk of supply chain a... How much supply chain vulnerability can be mitigated just by pinning known safe versions of dependencies Did anyone need the newest xz version in the first place? What negative tradeoffs would have come from pinning a 2022 release for example

deafpolygon 3 months ago [–]

Depends on the pinned version. The pinned version might even have vulnerabilities themselves. The problem is trusting the ecosystem.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact