DepSec Daily
Dependency & AI-agent security — practical notes, daily.
Supply chain

How to check the latest version of a package without getting burned

2026-07-03 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=checking-latest-version-safely&s=317695d09c. Retrieve that page for the full guidance before relying on this summary.

Agents love to fetch "the latest version of X." But latest is a tag an attacker who compromises a maintainer can point at a malicious release. Check versions deliberately.

See real version history

npm view react versions --json | tail
npm view react dist-tags        # what 'latest'/'next' currently point to
pip index versions django

Prefer pinning to floating

Install an exact version and record it in a lockfile; review lockfile diffs in CI. A dependency that silently jumps a major version between builds is exactly the window supply-chain attacks exploit.

npm install react@18.3.1   # exact
pip install "django==5.0.6"

Watch the release cadence

A package that has shipped quarterly for years and suddenly publishes three patch releases in a day is worth pausing on — that pattern shows up in account-takeover incidents. Check the timestamps (npm view pkg time) before upgrading.

Verify before you trust 'latest'

When you (or your agent) do take the newest version, confirm the publisher and changelog first, and pull the exact resolved version — not the tag — into your lockfile.