top | item 14760428

(no title)

One reason is that many developers work with package managers / languages that are INCAPABLE of handling multiple versions of the same dependency. Without this you quickly get version deadlocks without semver.

Another reason is that many developers are obsessing on getting the latest version of their dependencies for fear of security issues or just missing out on the latest and greatest - and they often completely ignore retesting the application since they now have someone to blame if it fails (that other developer should not have pushed the breaking change with a minor version bump!)

I agree with you that it should be the standard to have fixed versions and update your dependencies at a time of your choosing so that everything can get tested properly - but it seems to be an uphill battle.

discuss

eeZah7Ux|8 years ago

> many developers are obsessing on getting the latest version of their dependencies for fear of security issues

Getting the latest version is how you get new vulnerabilities.

Various software distributors, including some Linux distros let software bake in for this reason and can be even faster than the upstreams in developing and applying patches to known vulnerabilities.

Also, unfixed but known vulnerabilities are less dangerous: security and system engineers can work around them, also IDS/IPS can detect and often block attacks.