You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+14Lines changed: 14 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -241,6 +241,20 @@ The following TPM devices have been successfully verified using `tpm-trust audit
241
241
>
242
242
> *Why?* Internally, `tpm-trust` uses `tpm-ca-certificates` library to always get the latest trust bundle.
243
243
244
+
## Dependency Update Policy
245
+
246
+
> [!NOTE]
247
+
> For those interested in understanding the motivations behind this approach, I recommend reading [Filippo Valsorda's thoughts on Dependabot](https://words.filippo.io/dependabot/).
248
+
249
+
This project does not rely on automated dependency update tools like Dependabot. When managing multiple projects in parallel, such tools generate more noise than value.
250
+
251
+
Instead, this project follows a pragmatic, security-first approach:
252
+
253
+
1. **`govulncheck` runs daily** to detect vulnerable dependencies. When a vulnerability is identified → we bump the affected dependency.
254
+
2. **Feature-driven updates**: Dependencies are updated when the project needs a new feature or capability provided by a newer version.
255
+
256
+
This approach balances security with intentionality, ensuring updates happen for concrete reasons rather than on autopilot.
0 commit comments