> We are freezing our dependencies and aiming at almost never upgrading or updating things when possible.
I think this is an equally bad idea. The supply-chain attacks make the news, but getting pwned because of a known vuln in some dependency is a regular occurrence. That 10 year old OpenSSL binary is bad news.
This plus when a vulnerability is discovered and you are a million versions behind facing practically a ground up rewrite to get back to API compatible it is extremely hard to deal with. There is some balance to be had by waiting for things to become tested and stable rather than always defaulting to the bleeding edge, and maintaining a reasonable cadence of dependency management. You don’t always need to be on the latest version but you always need to be ready to be on the latest version
I think this is an equally bad idea. The supply-chain attacks make the news, but getting pwned because of a known vuln in some dependency is a regular occurrence. That 10 year old OpenSSL binary is bad news.