upvote

points

by 8cvor6j844qw_d618 hours ago |
comments
upvoteby tonymet18 hours ago|
[-]
Slow Russian roulette is still a losing strategy
reply
upvoteby btown18 hours ago|
parent|
next
[-]
It’s only a losing strategy if you assume everyone universally adopts the slow strategy, and no research teams spot it in the interim. For things with large splash radius, that’s unrealistic, so defenders have an information advantage.

Makes actual security patches tougher to roll out though - you need to be vigilant to bypass the slowdown when you’re actually fixing a critical flaw. But nobody said this would be easy!

reply
upvoteby esseph17 hours ago|
parent|
[-]
> Makes actual security patches tougher to roll out though

Yeah. 7 days in 2026 is a LONG TIME for security patches, especially for anything public facing.

Stuck between a rock (dependency compromise) and a hard place (legitimate security vulnerabilities).

Doesn't seem like a viable long-term solution.

reply
upvoteby neko_ranger18 hours ago|
parent|
prev|
[-]
but wouldn't it work in this case? sure if a package was compromised for months/years it wouldn't save you

but tell dependabot to delay a week, you'd sleep easy from this nonesense

reply
upvoteby tonymet8 hours ago|
parent|
[-]
slowly walking through a minefield isn’t any safer than running.

So unless you’re saying the extra time will be spent inspecting every package, whenever you do update, you will be getting an insecure package.

You’re not safe by dodging axios. There are currently thousands of breached packages ready to install that aren’t notable.

“I’ll run npm install after checking twitter” won’t help

reply