Yeah, but then it's a tooling / organisational issue at your workplace and not a JS issue.

Thanks for reading! Now, how is a mandatory security update an organizational issue?

As I already answered, if you are using packages that break sem-ver (it can happen very easily), or packages that depend ob unsprcified behavior of another package at a specifiv version, none of that is caused by the package manager or programming language.

I love me some JS hate from an informed IT expert, but sorry, as politely as I can put it, blaming common targets of unpopularity (JS) for your personal and/or organizational issues (not understanding dependency management) seems very unprofessional to me.

The word "mandatory" is a popular slippery slope, but from your description, I can at best guess what you meant and you haven't elaborated on it.

Dependencies are not magic, they are other peoples code. If you blindly update without understanding how anything works, you are in for pain.

It's an understandable issue, everybody learns.

Because your company doesn't do the same security update on testing server, thus creating difference between two services.

Npm is highly susceptible on this if you're using uncommon libraries, especially under 1 mil downloaded libraries. However the same can applies to any other toolings or languages that you use.

In the interest of keeping you in discussion, there was another submission with further conversation: https://news.ycombinator.com/item?id=39732106#39732221