Eventually you will want to update it, every update is a risk.
replyBut, pinning has prevented most of the recent supply chain attacks.
replyAs long as you don't update your pins during an active supply chain attack, the risk surface is rather low.
The flip side of that is now you're running old software and CVEs get published all the time. Threat actors actively scan the internet looking for software that's vulnerable to new CVEs.
reply