Not updating with audit would work if every direct and transient dependency provided security updates for every version. But they don’t. Often, security updates are for the most recent version or versions, and if you’re far behind, you now have to audit a lot more.

Transient dependencies are an audit problem, too. To audit something, you have to essentially audit recursively. Many libs use many other libs of varied authors.

Our systems are too open, too vulnerable. A build or check being able to access all resources is a fundamental systematic vulnerability.

This is an interesting perspective. I have not thought about this even as a developer.

I used to be a developer, and I completely agree.

I don’t owe anyone anything. And if you won’t compensate me for work you demand, the less I am willing to cover your mistake.

“Supply-chain” is an invented capitalist digressive term that they forwent compensation for security. Even in our /c/, folks think capitalists will pay 7 additional days to review issues at no cost. It’s preposterous. Nazis prefer automating our quality assurance.

No pay, no game.

Edit! This type of ignorance even extends into other industries! Here’s my scene, making a bounty, not accounting modern Nazi costs of hardware.