DigiNews

Summary

This article argues that updating dependencies is risky due to supply chain vulnerabilities. The piece critiques automated updates and calls for a rethink of how dependencies are reviewed, proposing Mendral's CI integrated approach with AI assisted analysis and sandbox testing to assess dependencies before merging. It emphasizes that dependencies are untrusted contributions and that human review plus robust tooling is necessary to secure modern software supply chains.