Comment by tedivm

Comment by tedivm 5 days ago

2 replies

View on Hacker News

This advice leaves you vulnerable to log4j style vulnerabilities that get discovered though.

The answer is a balance. Use Dependabot to keep dependencies up to date, but configure a dependency cooldown so you don't end up installing anything too new. A seven day cooldown would keep you from being vulnerable to these types of attacks.

SAI_Peregrinus 5 days ago

Cooldowns only work if enough people don't use cooldowns (or don't use cooldowns longer than yours) for attacks to get noticed.

Reply View 1 reply
  • tedivm 4 days ago

    That may have been true two years ago, but now you have groups like Wiz doing scans and looking for these types of attacks. You don't have to wait for someone to get their shit destroyed to notice.

    Reply View 0 replies