A few months ago, I helped clean up after a server was taken over via the Livewire vulnerability that was surfaced in 2025. The CVE was issued over the summer, but it took until early 2026 before exploits started really appearing in the wild. Because I misread the impacted range when the vulnerability was announced, the script I threw together to check our own and our clients' repos missed one vulnerable patch version. It stung us and one of our clients. That mistake is part of what led me to create OurCVEs.
We didn't take any severe damage and neither did our client. Mitigation was quick and complete once we realized there was a problem. Unfortunately, I know of other projects that weren't so lucky. Anyway, the cleanup I referred to above wasn't us or a client. It was a friend who paid me in beer to help him get the wheels back on. We do this kind of thing for each other pretty often. What was notable about that cleanup versus the other ones I was involved in was that when he asked me what could have been done to prevent it, I saw an open PR from Depandabot that was never merged. "All you had to do was merge this," I said. He had started off doing it right. He set up Dependabot, and then did what we're all so often guilty of. He started to ignore it because it was noisy and he was busy shipping features.
In thinking about how we're all coming to terms with the fact that our fairly lax 2025 security posture is woefully insufficient in 2026, it kind of annoys me that we've always had the tools at our disposal to do this right. Dependabot does a really good job of identifying vulnerabilities in our application dependencies and will even open a PR for us. All we have to do is click the Merge button (assuming we have a robust test suite... we all do, right?). Spin up an Ubuntu VPS from any major cloud provider and it'll have patches automatically applied. All we have to do is reboot, or configure automatic reboots. We just haven't been doing it.
AI and the rise of the supply chain attack have made all of this slightly more complicated, but package managers are working diligently to add safety valves to let us continue to use these automations.
While the frequency with which supply chain vulnerabilities make headlines is increasing, the measures required to keep us safe haven't changed much. It really just requires two things:
- A strong and proactive security posture.
- The discipline to maintain it.
As I roll out OurCVEs to our clients, I'm coming to realize that while I built it to help stand up a solid security posture, its real value is in extracting the signal from the noise. By guiding us to automate as much as possible and only surfacing the things that really need our attention, it makes it easier for us to maintain the discipline required to stay on a solid footing.
We're starting to get some feedback from users outside of our client roster, and that's been extremely helpful. If you're using OurCVEs and have any requests or ideas, please reach out. Stay safe and happy shipping!