Say you pin your project at version 5. An exploit is found. There is no 5.1. Ins... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bransonf on Oct 6, 2020 \| parent \| context \| favorite \| on: Celery 5.0 Say you pin your project at version 5. An exploit is found. There is no 5.1. Instead they fixed the exploit in 7. However 7 breaks your pipeline. What do you do? Fix the vulnerability yourself on an outdated version (high effort) Upgrade your entire pipeline to the new version (High effort) Leave the vulnerability in place (terrible idea)

411111111111111 on Oct 6, 2020 [–]

You left out "switch to a better suited dependency (high effort)"

That's honestly the only viable choice with such libraries if you want to deploy your software in production environments.

Thankfully, there are alternatives around and you're not forced to migrate every task at the same time

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact