## Progressive Summary **Executive Summary (Layer 3)**: **Updating a dependency is riskier than its latent bugs — fork, trim to your use case, and never update without a compelling commit.** **Key Insight (Layer 2)**: "If you are updating a dependency, it's on you to analyze every single commit in the full transitive set of dependencies. If you don't see anything compelling, don't update!" **Context (Layer 1)**: Mitchell Hashimoto tweet, May 2026, amid the TeamPCP supply-chain attack wave; the doctrine he enforced at HashiCorp for 10+ years. **Cross-Domain Connections**: [[Pipelines Implicitly Trust Their Inputs]] [[PyPI Supply Chain Attack via Popular AI Dependencies]] **Discoverability Score**: 8/10 --- ## Atomic Insight **Known bugs are a monitorable risk; updates are an unreviewed one.** A latent bug can be tracked and its CVE watched, while every update imports an unaudited diff across the full transitive dependency set. Hashimoto's doctrine: - Fork dependencies, trim to only your use case - Never update unless it breaks for your users - Updating means owning review of every commit in the transitive set - Gate question at HashiCorp: "Show me the commit we need" — no compelling commit, no update This inverts "stay current to stay patched": dependency freshness is itself attack surface, since supply-chain compromises propagate through routine updates (compromised maintainers, poisoned transitive dependencies, mutable tags). The trade is patch latency — visible and monitorable — for immunity to update-borne compromise, which is invisible until exploited. Same asymmetry as ops change management (most outages are self-inflicted changes) and clinical conservatism in medicine (don't switch a stable patient without a specific indication). --- *Source: [[Fork your dependencies, trim them to only your use case...]] (Mitchell Hashimoto, X/Twitter, May 2026)*