The vast, vast majority of updates fix security issues. It's like not vaccinating in case you're one of the million people that has an allergic reaction. Supply chain attacks are rare, not the norm. We hear about such things (and only rarely at that) because it's exceptional enough to make the news.

Yeah, but 'pinning' dependencies is useful so that you can choose when you get those changes.

Which means extra maintenance work to check for every piece of software that anyone uses whether it uses another library that it needs to be recompiled against and, if it fails, how to use the new version.

If there are automatic updates, at least it either works and is more secure, or it breaks automatically and unsafe software stops working.

Whether you prefer people to use MSIE6 because "it just works" or whether you prefer old sites that only worked with MSIE6 to break because it's no longer maintained, that's the trade-off you have to choose between.

As a security person, I'm obviously biased, I can only advise what I see from a professional perspective. All I was saying above is that automatic updates being considered a security risk is on the same scale of odds as considering vaccines dangerous -- in regular cases, that is: of course the advice is different if you're a special (sensitive) organisation or a special (immunocompromised) person.

Nah, I don’t buy it. If it’s “just” bug fixes (for which I might have implemented a hack that now depends on the bug) I prefer Nightly builds with the latest (and re-pinned) dependencies available. Releases are just a re-tag after extra QA