"Using Open Source dependencies ""for free"" can sometimes feel as free as taking home a free puppy - it requires a continuous commitment. Increased security research combined with automated scanning has meant that the days of open source ""set and forget"" are gone - developers have no choice but to practice good dependency hygiene. In this presentation we'll discuss the gap between the do-nothing-unless-you-have to approach vs continuously updating, and whether there's a balanced middle ground that would better suit most software projects."