Skip to content
Tech News
← Back to articles

You Should Not Update Your Dependencies

2026-05-27 | original
read original get Dependency Management Toolkit → more articles
Why This Matters

This article highlights the evolving challenges in dependency management within the tech industry, emphasizing the delicate balance between timely updates for security and the risks of supply chain attacks. It underscores the importance of strategic dependency updates to maintain security without introducing new vulnerabilities, especially as open-source reliance grows.

Key Takeaways

The simpler times…

Rare historical photograph of a SysAdmin, an ancient species that would later evolve into modern DevOps, circa January 1999. The specimen, barely containing his excitement at the release of Linux 2.2 and the prospect of the upcoming LinuxWorld Expo, is performing the bi-yearly software patching ritual in production with his obligate mutualist (colloquially known as "the software vendor sales dude").

I started in tech in the late 90s after dropping out of college. My first metal server got compromised in two weeks. (Yes, phpMyAdmin . Yes, unpatched. Yes, still ashamed.)

Literally the first thing we deeply internalized in that era was to "very carefully review what you depend on, read all changelogs and patches, apply timely, always be up to date".

Pretty sure that sounds quaint, even alien, to most of the npm-dependabot-trigger-happy folks…

Nowadays, in the face of a sweeping, seemingly insurmountable onslaught of devastating supply chain incidents, some package managers started recommending to not update dependencies before a certain number of days (just to make sure, you know, that the idiots who go in front of you pay the price and spot the issues first…).

What has long been a staple of basic software security hygiene and vernacular wisdom is now considered harmful: do not update too soon, or expose yourself to ongoing supply chain attacks. Of course, not upgrading does expose you to active campaigns against (technically patched) upstream CVEs.

Damned if you do. Damned if you don't.

The old operating model was indeed fine in a much smaller, simpler tech world, in a more controlled and siloed environment, where you would depend on a handful of formally defined vendors that you could manually vet, and where complex supply chain issues and larger-than-life dependencies list were… not even a sci-fi concept.

The massive shift towards open-source over the past two to three decades (in part sustained by a better security story: "you benefit from much better community-driven scrutiny than with closed-source vendors!"… oh, sweet summer child…), along with the exponential increase in the size of ecosystems, brought massive new issues to light, painfully revealed through a chain of literally horrific "core dependencies" vulnerabilities (remember bind, openssl, or just log4j?) that have basically broken the entire internet, repeatedly.

... continue reading

Explore topics: linux dependencies supply chain npm devops
Related:
Rust Will Save Linux From AI, Says Greg Kroah-Hartman
Reflex (YC W23) Is Hiring SWEs, Growth, and GTM Roles
Rust will save Linux from AI, says Greg Kroah-Hartman
I've tried so many Linux email clients - why Aerion just replaced Geary as my top pick
European companies double down on China manufacturing despite EU de-risking push

© 2026 GoKawiil

About | Editorial Policy | Contact