Kinda agree with the author. I also realized a while ago that pinning Dockerfile dependencies is a terrible practice unless you want to hire people to basically do Dockerfile maintenance.<p>BTW this site is full of gems I had to learn through pain and suffering. Wish I could have read it ~ 3 years ago.
To be honest, this is why I always create my own patched base image that I schedule with a regular update mechanism and build my applications on top of those.<p>If my pipeline fails the tests I can always go back to the last successful base build to unblock the current deployment and we have security patches up to a few days ago. I can then investigate what exactly has broken in the last week's set of patches.<p>Please stop using the raw Ubuntu or Alpine images, it doesn't take much to use your favourite CI scheduler to regularly build a patched Ubuntu/Alpine which you can then use as the basis of your application and remove the fear of regular patching.