alt Hacker NewsBe wary of upgrading dependencies too quickly. This is how supply chain incursions are able to spread too quickly. Time is a good firwall.
Replies
esafak • yesterday at 10:01 PM
They fixed that last summer: https://github.blog/changelog/2025-07-01-dependabot-supports...
➕ show 1 reply
bityard • yesterday at 10:42 PM
A firwall also makes a good firewall, once ignited.
Hamuko • yesterday at 10:00 PM
>Time is a good firwall.
That just reminds me that I got a Dependabot alert for CVE-2026-25727 – "time vulnerable to stack exhaustion Denial of Service attack" – across multiple of my repositories.
Here's a Go mod proxy-proxy that lets you specify a cooldown, so you never get deps newer than N days/weeks/etc
https://github.com/imjasonh/go-cooldown
It's not running anymore but you get the idea. It should be very easy to deploy anywhere you want.