But you also need the latest versions to avoid zero-day attacks.

lpribis · 2025-11-24T12:24:20 1763987060

99% of releases do NOT fix zero-days. But 100% of releases have a small risk of introducing a backdoored build-script.

There's nothing wrong with pinning dependencies and only updating when you know for sure they're fixing a zero-day (as it will be public at that point).

cesarb · 2025-11-24T16:12:31 1764000751

Or an old enough version. For one of the most damaging zero-day vulnerabilities in the Java ecosystem (log4shell), you were vulnerable if you were in the latest version, but not vulnerable if you were using an old enough version.

zelphirkalt · 2025-11-24T13:11:31 1763989891

Zero-day on frontend has not really a y effect, except on one user at a time. Zero-day on a server though ... perhaps we arrive at the conclusion to not use the JS ecosystem on the server side.

nalekberov · 2025-11-24T12:04:57 1763985897

do zero-days even care about versions?

Ygg2 · 2025-11-24T15:36:39 1763998599

They care how long you take to patch your versions. Delaying patching by 7 days will affect it.