A policy I favor with dependency management: go forward. Going backward is an exception that we must plan to remedy. Example Consider a CVE in a dependency at version 5.0 (v5.0). We’re advised that v6.0 and v4.0 are safe. Which way should we go, forward or backward? We want to default to forward. Even if we’ve been on v4.0 before and know it is compatible. Even if we aren’t sure that v6.0 is “solid” or if it takes some code changes to implement.
No comments yet. Log in to reply on the Fediverse. Comments will appear here.