I'm wondering which approach people use to deal with vulnerabilities in transitive packages/dependencies? Do you manually update the transitive package with the risk of introducing compatibility issues and/or breaking changes? Or do you just wait until the maintainer of the direct dependency updates the (transitive) dependencies?
Vulnerabilities in transitive packages/dependencies
I'm wondering which approach people use to deal with vulnerabilities in transitive packages/dependencies? Do you manually update the transitive package with the risk of introducing compatibility issues and/or breaking changes? Or do you just wait until the maintainer of the direct dependency updates the (transitive) dependencies?
is working on a reply...