logoalt Hacker News

Waterluviantoday at 12:45 AM1 replyview on HN

My logical read of the situation is that I end up making fewer overall changes if I end up upgrading a dependency once, not thrice, to a specific version. And the changes are their own source of risk.


Replies

jjmarrtoday at 3:01 AM

In reality, one massive update is too big to digest and it never happens. So you're stuck on out-of-date packages having lost the ability to update.

That's never a problem until it suddenly is. Company is put at significant risk (courts want to reason by analogy and "engineers skipped maintenance and endangered people" is an easy one) and nobody is to blame since nobody owned the task.