Being a sysadmin type, I get irked by things like, “why don’t we have version 9.x, it came out last week and solves our problems,” or why can’t I just have a VM where I can install anything I want?”
There are many, very many, examples of new (most current) libraries that are broken, subject to spyware or worse. Do your own research, I’m not your mommy.
So, rather than explaining, yet again, that life on the bleeding edge of IT involves significant risk, I say let’s try this approach. Make developers responsible for version upgrades. With the caveat, that if they bring in something that breaks or exposes the project to hacking, they’re fired with prejudice!
I’m not talking about latent bugs in SSH, etc. I mean they read the release notes and they should have seen the problem. “Major change to SECAUTH” “We added SSO” “Now OKTA comaptible” That shit needs to be vetted before I’d put it in my systems.
Also, please NEVER build your project from https://github.com/myproject/latest.