请问HN:你们是如何优先处理依赖更新的?
我维护几个开源项目,依赖管理变得令人不堪重负。<p>Dependabot 每周在我的代码库中打开 20-30 个拉取请求。大多数是小版本更新,但其中实际上隐藏着一些关键的安全问题。我发现自己要么选择忽略它们(这很危险),要么花费数小时进行分类(这不可持续)。<p>问题是:我没有一个好的信号来区分什么是紧急的,什么可以等待。<p>我尝试过的方法:
- 跟踪 CVSS 分数 → 但“关键”并不意味着“在我的环境中可被利用”
- 自动合并补丁版本 → 错过了一些重要的安全修复
- 手动审核所有内容 → 每周需要花费 5-10 小时<p>我最近发现了 CISA 的 KEV 目录(已知被利用的漏洞),它标记了在实际环境中被积极利用的 CVE。这似乎比单独使用 CVSS 更有效,但我很好奇:<p>1. 你是如何判断什么是真正紧急的?CVSS?EPSS?手动评估?<p>2. 你是否将“过时但不易受攻击”的依赖与“有 CVE”的依赖区别对待?<p>3. 对于使用 Dependabot/Renovate/Snyk 的人来说,你们的工作流程是怎样的?你们会审核每一个警报,还是找到了一个好的过滤系统?<p>我正在考虑构建一些工具来帮助解决这个问题(健康评分 + 基于利用的优先级排序),但我想确保我不是在解决我自己的奇怪问题。<p>你们有什么有效的方法吗?
查看原文
I maintain several open source projects and dependency management has become overwhelming.<p>Dependabot opens 20-30 PRs per week across my repos. Most are minor version bumps, but buried in there are actually critical security issues. I find myself either ignoring them all (risky) or spending hours triaging (unsustainable).<p>The problem: I don't have a good signal for what's actually urgent vs. what can wait.<p>What I've tried:
- Following CVSS scores → but "critical" doesn't mean "exploitable in my context"
- Auto-merging patch versions → missed a few important security fixes
- Manual review of everything → takes 5-10 hours/week<p>I recently discovered CISA's KEV catalog (Known Exploited Vulnerabilities) which flags CVEs that are actively being exploited in the wild. This seems like a better signal than CVSS alone, but I'm curious:<p>1. How do you decide what's actually urgent? CVSS? EPSS? Manual assessment?<p>2. Do you treat "outdated but not vulnerable" dependencies differently from "has CVEs"?<p>3. For those using Dependabot/Renovate/Snyk - what's your workflow? Do you review every alert or have you found a good filtering system?<p>I'm considering building something to help with this (health score + exploitation-based prioritization) but want to make sure I'm not just solving my own weird problem.<p>What's working for you?