alt Hacker News> Keeping updated libraries is a good practice
First, the "good practice" argument is just an attempt to shut down the discussion. God wanted it so.
Second, I rather keep my dependencies outdated. New features, new bugs. Why update, unless there's a specific reason to do so? By upgrading, you're opening yourself up to:
- Accidental new bugs that didn't have the time to be spotted yet.
- Subtly different runtime characteristics (see the original post).
- Maintainer going rogue or the dependency getting hijacked and introducing security issues, unless you audit the full code whenever upgrading (which you don't).
It's true that you can satisfy the audit just by running dependency scans and updating the ones that come back vulnerable. Unfortunately, in a lot of ecosystems, that ends up looking the same as keeping all your libraries updated.
You can instead document exceptions for why all those vulnerabilities doesn't apply to your app, but that's sometimes more trouble.