Historically, developers and security experts have disagreed on whether or not fixed dependencies are a good idea. Developers like fixed dependencies: they prevent changes from breaking their project. In contrast, security experts have long touted the mantra of automatic updates, even for software dependencies. They argue that the widespread adoption of more agile “move fast and break things” approach to software development can tolerate changes in dependencies, and it is better to have the latest version of a dependency in case there was an unannounced security fix.
Challenge 1
Updating Vulnerable Dependencies