Friends Don't Let Friends Use :latest

Mehdi Abaakouk's article discusses the pitfalls of using floating versions like ":latest," "^," and "~" in software development, highlighting how these seemingly convenient choices lead to broken builds, hidden regressions, and security risks. These floating versions result in non-reproducible builds by relying on mutable upstream code, which can change unexpectedly, causing failures in CI pipelines and production environments. The author emphasizes the security vulnerabilities posed by unpinned dependencies, illustrated by incidents such as the SolarWinds breach and a phishing attack in September 2025 that compromised popular npm packages to inject malware. To mitigate these risks, the article advises pinning dependencies to exact versions using GitHub Actions, Docker images, and lockfiles, and utilizing tools like Dependabot and Renovate to automate safe updates. By controlling updates and avoiding floating versions, developers can ensure reliable, secure, and reproducible software builds, reducing the risks associated with trusting mutable code from external sources.