In an industry trained to equate “latest” with “secure,” this sounds reckless, until you look at what happened this spring. In two of the year’s worst npm attacks, many of the people most exposed were the ones pulling fresh versions. When the axios HTTP client library was compromised, attackers pushed two poisoned releases that dropped a remote-access Trojan on every machine that ran a fresh install during a roughly three-hour window. If you were pinned to a clean version and didn’t reinstall, you slept through it. Kudos to you. Weeks later, on the heels of a poisoned node-ipc release, the Mini Shai-Hulud worm self-propagated through TanStack and on to Mistral, UiPath, and a long tail of packages downloaded millions of times a week.
How do you defend against that?
Maybe by doing nothing. After all, the single most effective defense against Mini Shai-Hulud wasn’t a scanner or a signature. It was a cooldown. StepSecurity held newly published versions for a configurable window, around 10 days, before serving them to anyone. Customers on the cooldown kept getting the last known-good release and were never exposed, while the rest of the world found out the hard way.
In other words, the defense that worked was the unfashionable (and historically foolish) one: Don’t take the new version just because it’s new. Ironically, the industry’s answer to AI development seems to be to add more dependencies. What could go wrong?