> Makes actual security patches tougher to roll out though

Yeah. 7 days in 2026 is a LONG TIME for security patches, especially for anything public facing.

Stuck between a rock (dependency compromise) and a hard place (legitimate security vulnerabilities).

Doesn't seem like a viable long-term solution.