I am talking about the ongoing hackings of github, npm packages and how they affected many apps worldwide. Is there a statement somewhere stating that its safe upgrading? I mean i don't want to upgrade knowing that infected packages of newest versions would be included in the upgrade.
Im still with 2026.03 version waiting for any information somewhere.
1 Like
No way to know unless you verify every associated package.
This is true for open source in general.
No upgrade becomes equally dangerous at some point so you need to trust the devs to do due diligence for the most part.
What you are asking for is unrealistic (at the moment). Even commercial companies, with bigger resources than Nabu Casa or the Home Assistant community, can't fully defend from software supply-chain attacks.
The announcement by IBM and Red Hat may help accomplish what you are asking for:
IBM and Red Hat Commit $5 Billion to Redefine the Future of Open Source in the AI Era
The only atatement anyone will give is that is definitely not safe not to update. Especially in this day and age. In 2018 it took on average a couple of years before found security holes were actual exploited in the wild. Today, the average is less than two days. AI is finding holes faster than ever, not just by Mythos but also by available AI models. This far outweighs supply chain attacks.
Having AI find security holes quickly will hopefully accelerate patches too. If you do not install those, you are toast.
How to know if its safe to upgrade HA?
You can't. And that goes for practically every software package that exists from traffic lights to your pacemaker to the doorbell.
Live your life or hide in the Arctic forrest are basically your choices.
2 Likes
Honestly, I wouldn't stress about it too much because the risk of staying on an outdated version with known vulnerabilities is way higher than any potential supply chain issue. I just keep an eye on the release notes for major breaking changes and maintain a good backup routine, which lets me roll back quickly if something actually goes sideways.
Hindsight is a wonderful teacher.
The whole industry revolves around trust. I trust you soldered my pacemaker and flight management computer leads properly. I trust you ran the updates for malware scanners on your developer platform. I trust the person that submitted the last PR to your core module didn't have an IP address from some military establishment, US, North Korean or Chinese. I trust some skript kiddie that asked their newly installed version of AI how to hack you didn't get a good answer. I trust the person next to me on the freeway will not change lanes without indicating. I trust the traffic lights going green mean the ones facing the other direction have gone red at the same time.
Can't trust anybody? Hide under your blanket and don't come out!
I find it prudent to be cutting edge, not bleeding edge however. Read the change logs. Wait a few hours or days before installing the latest updates and let somebody else stumble on the problem and identify a workaround till it gets fixed. Rinse and repeat. Such is life.
You are forgetting the building constructor or materials provider if the concrete they used is up-to-standard... 
For a long time I've chosen not to upgrade most things until some time after release. Originally it was to give time for bugs to be found and fixed, but these days we're all aware that security is much harder and also an issue.
This is one reason I do not like forced updates, or constant pestering to update. By all means let me know, give me a way to judge, and then leave it to me. I don't need reminders etc.
Back to topic. I agree with waiting a while. With an OS major update I often wait until about a year because some drivers can take a while to come through the system. Probably overkill these days.
So far I've been upgrading HA quite promptly, but I'm very new and learning how that all works. As my system gets expanded I'll stretch the delay, but not too much, because I don't want to make any particular update too onerous where there are breaking changes.
There's no way to know how long is safe to wait because we can never know if the code is safe. Keeping up to date has security and maintenance benefits though, so it's a balancing act.
What I hope is that when there are security issues in an update, this will be highlighted but I've not seen this yet.
If there's nothing in the dashboard about the urgency and reasons for updating, I think that would be a very helpful feature.
Maybe a traffic light system that guides people based on the nature of any pending updates (purely functional, breaking changes, low risk sevurity fixes, critical security fixes) and the time since last update world be a good feature.
What do people think?