AI’s brave new world of technical debt

Mitchell Hashimoto wants you to stop updating your dependencies, which, from a historical context, is certifiably insane. In fact, in the wake of Mythos and the potential to make zero-day exploits common, it still may sound insane. Yet after the spring npm just had, Hashimoto’s counsel may actually sound less like heresy and more like control.

His rule? Fork your dependencies, trim them to what you actually use, and don’t update unless something breaks for your users. In Hashimoto’s view, you don’t update just because GitHub’s Dependabot opened a pull request or even because there’s a newer (presumably more secure) version. If you do update, the work of understanding every relevant commit in the transitive tree is yours, not the maintainer’s.

In an industry trained to equate “latest” with “secure,” this sounds reckless, until you look at what happened this spring. In two of the year’s worst npm attacks, many of the people most exposed were the ones pulling fresh versions. When the axios HTTP client library was compromised, attackers pushed two poisoned releases that dropped a remote-access Trojan on every machine that ran a fresh install during a roughly three-hour window. If you were pinned to a clean version and didn’t reinstall, you slept through it. Kudos to you. Weeks later, on the heels of a poisoned node-ipc release, the Mini Shai-Hulud worm self-propagated through TanStack and on to Mistral, UiPath, and a long tail of packages downloaded millions of times a week.