alt Hacker NewsBut how do you know which one is good? If foo package sends out an announcement that v1.4.3 was hacked, upgrade now to v1.4.4 and you're on v1.4.3, waiting a week seems like a bad idea. But if the hackers are the one sending the announcement, then you'd really want to wait the week!
Replies
dwattttt • yesterday at 9:55 PM
An announcement isn't a quiet action. One would hope that the real maintainers would notice & take action.
malicious versions are recalled and removed when caught - so you don't need to update to the next version