C004 — H3:¶
Contents¶
Statement: The 95% figure is approximately correct but masks important nuance: while a fixed version exists for most vulnerable components, many of those fixes require major version upgrades with breaking changes, making 'just update' impractical. The problem is more about upgrade difficulty than developer negligence.
Supporting Evidence Would Show¶
- Studies on the difficulty of dependency upgrades, particularly across major versions
- Data on the rate of breaking changes in security patches
- Developer surveys citing compatibility concerns as the primary reason for not updating dependencies
- Research on transitive dependency conflicts preventing updates
Eliminating Evidence Would Show¶
- Evidence that most security fixes are available as patch-level updates without breaking changes
- Data showing that the majority of unfixed vulnerabilities could be resolved with minor/patch version bumps
- Studies showing developer negligence or unawareness as the dominant factor rather than upgrade difficulty