This is a bad idea for a number of reasons. Most obvious issue is that it doesn’t guarantee anything in the way of actually fixing vulnerabilities, because some project you use may not even be scanning their own work.
Comment on How do you keep track of vulnerabilities?
eager_eagle@lemmy.world 1 month ago
upgrade all things by default
just_another_person@lemmy.world 1 month ago
eager_eagle@lemmy.world 1 month ago
what’s the alternative? Write a PR yourself?
just_another_person@lemmy.world 1 month ago
Yup. Really easy in most cases if you’re just upgrading a dependency version of something to the next minor release up, but then it has to pass all the project CI tests, and get an actual maintainer to tag it for release. That’s how open source works though.
eager_eagle@lemmy.world 1 month ago
That may work for a handful of projects. It’d be my full time job if I did it for everything I run. Also, I might simply suggest maintainers to adopt dependabot or an alternative before I spend time with manual changes. These things should be automated.
NaibofTabr@infosec.pub 1 month ago
This is also a great way to just break everything you’ve set up.
eager_eagle@lemmy.world 1 month ago
that’s a lot of FUD, topgrade just upgrades all package managers you have, it doesn’t do the upgrades itself bypassing the package authors
NaibofTabr@infosec.pub 1 month ago
The issue is more that trying to upgrade everything at the same time is a recipe for disaster and a troubleshooting nightmare. Once you have a few interdependent services/VMs/containers/environments/hosts running, what you want to do is upgrade them separately, one at a time, then restart that service and anything that connects to it and make sure everything still works, then move on to updating the next thing.
If you do this shotgun approach for the sake of expediency, what happens is something halfway through the stack of upgrades breaks connectivity with something else, and then you have to go digging through the logs trying to figure out which piece needs a rollback.
Even more fun if two things in the same environment have conflicting dependencies, and one of them upgrades and installs its new dependency version and breaks whatever manual fix you did to get them to play nice together before.
eager_eagle@lemmy.world 1 month ago
I’ve been doing that for years. Rollbacks are very rare, to the point that it doesn’t make much of a difference whether I do them all at once or not, other than spending more time to do it.
If I wasn’t using containers for everything sure. Otherwise it’s a bit of an excessive concern.