That works fine if you have few dependencies (obviously this is a good practice)...

		catlifeonmars 3 months ago \| parent \| context \| favorite \| on: Shai-Hulud malware attack: Tinycolor and over 40 N... That works fine if you have few dependencies (obviously this is a good practice) and you have time to vet all updates and determine whether a vulnerability impacts your particular code, but that doesn’t scale if you’re a security organization at, say, a small company.