"Vulnerabilities are more common in popular projects." - meaning more popular projects have more known issues, which seems kind of obvious.<p>Perhaps 'security by obscurity' has its parallel in 'vulnerability in popularity'.<p>While not a good security tactic in general, there is something to the fact that an obscure library will be less exploited.
Interesting read. One thing seems to be missing, and that is any notion of participating in upstream development. In open source you don't have to just be a consumer, you can actively participate in the development of dependencies to varying degrees. They do point to people near the edge vs on the edge as having better practices, and I'd think that's because they at least <i>follow</i> and understand what's going on vs just using the latest. Following and understanding seems very close to participating, though they are different.
With so many irrelevant advisories, I'm not sure I can take much from this report TBH. Not to mention that I disagree about MTTU, a stat that is clearly skewed toward pencil pushers.<p>The more time you spend updating dependencies, the less time you spend actually coding things. Well, unless the updates actually give you new features, which is generally not what people are looking for when running an update for some reason.