We got lucky and weren't impacted by the trivvy/axios supply chain attacks but what's a team…

We got lucky and weren't impacted by the trivvy/axios supply chain attacks but what's a team supposed to do when patching fast isn't safe and the impending vulnpocalypse means that soon, you won't be able to wait?

The advice to wait 72 hours before applying dependency updates makes sense given the recent trend for supply chain attacks often hide in fresh releases and waiting gives the community time to catch them.

But if everyone waits... Who's doing the catching?

Manual review of dependencies was barely a thing people did when we moved 10x slower and would be extremely unlikely to catch the problems we're seeing anyways since it would require reversing obfuscated builds, tracing network calls and auditing dependency trees. Very few teams have the time or the tooling to do that.

So what can you do now? The simplest thing is to be aware of whether a vulnerability is being actively exploited. Patch immediately if it is. Wait the three days if it isn't.

Except.... That window is closing. Exploitation timelines are collapsing. We're approaching a state where critical CVEs are weaponized in hours, not days which makes the 72-hour hold start to look like a liability even if it hasn't been flagged as actively being exploited.

There's no clean answer here. The whole framework assumes someone, somewhere, is doing the watching. It's not clear who that is.