The author argues that the fundamental advice of 'always update dependencies immediately' has become dangerous in the modern software ecosystem. What was once basic security hygiene in the 1990s—carefully reviewing changelogs and applying patches—has been replaced by automated bot-driven updates that often introduce more risk than protection.

Recent supply chain compromises like Shai Hulud, Nx s1ngularity, and tj-actions/changed-files demonstrate how attackers now target the distribution chain itself rather than exploiting existing vulnerabilities. Package managers now recommend delaying updates to let others discover issues first, creating a perverse situation where staying current exposes teams to attack while remaining vulnerable to patched CVEs.

Technical solutions exist to address these problems—content-addressability, SLSA, TUF, and OIDC/Fulcio all provide hardening mechanisms—but adoption remains minimal. The Docker team implemented content-addressable images in 2014 specifically for secure distribution, yet most developers still use :latest tags and blindly merge Dependabot PRs without reviewing diffs.

The industry has essentially given up on meaningful supply chain verification, opting instead for compliance theater and certification programs that provide comfort without actual security. Modern AppSec focuses less on securing your own code and more on managing the risk of untrustworthy dependencies flooding through automated pipelines.