Upgrading to new version can also introduce new exploits, no amount of tests can find those.
Some of these can be short-lived, existing only on a minor patch and fixed on the next one promptly but you’ll get it if you upgrade constantly on the latest blindly.
There is always risks either way but latest version doesn’t mean the “best” version, mistakes, errors happens, performance degradation, etc.
Well Hetzner's "VPS" [1] is more like the "Cloud" [2] from OVH rather than OVH's VPS [3]
(no /hours pricing, cannot instantly deploy, etc.)
Not that their pricing isn't really really good, but it depends on your use-case. DO / Linode / Upcloud / EC2 / etc. do have an insane pricing in comparison, yes.
I’m surprised the CLI doesn’t asked permission for each program trying to access it, when using their SSH agent I get a popup for any program (then it unlock that key for that program until session ends).
People dismissing this vulnerability miss the point of a password manager which is to protect in such scenario where code gets executed on a machine but at least the data is encrypted, of course in that scenario the attacker can get access to the plain text env variables anyway that the developers has on their machine but at least it is not ALL of your credentials like in this case.
Service Account can limit the blast radius BUT you’ll end up saving that API token in your env anyway giving access to anyone executing malicious code…
Using their CLI is dangerous if they haven’t done anything to protect in this scenario. Did they have any comments in that vulnerability and how they want to mitigate it?
Why not simply return the value of the requested items and that’s it? Why unlock everything in a CLI scenario, surely the most common case is simply grabbing a single item like a .env for a project and that’s it.