Comment by abalone
Sure, but there's an obvious tradeoff: You're also delaying the uptake of fixes for zero-day vulnerabilities.
The article does not discuss this tradeoff.
Sure, but there's an obvious tradeoff: You're also delaying the uptake of fixes for zero-day vulnerabilities.
The article does not discuss this tradeoff.
Ye Olde "Cache Invalidation" problems really
Instead of updating the cache of dependencies you have immediately, the suggestion is to use the cooldown to wait....
As you point out, this means that you have a stale cache member has a critical fix applied.
Next week's solution - have a dependency management tool that alerts you when critical fixes are created upstream for dependencies you have
Followed by - now the zero day authors are publishing their stuff as critical fixes...
Hilarity ensues
The article assumes that engineers have the technical wherewithal to know when they should manually upgrade their dependencies!
Clearly I should have mentioned that Dependabot (and probably others) don't consider cooldown when suggesting security upgrades. That's documented here[1].
[1]: https://docs.github.com/en/code-security/dependabot/working-...