- Pin and explicitly use specific version of third-party libraries. - - Add a reasonable delay period before automatically upgrading or updating third-party libraries. - This helps mitigate against supply chain attacks by reducing the risk for a compromised version of a library from getting into an application or working environment. - For example, say you have a two-hour delay period. A compromised version of a library is published, and it takes 15 minutes for the first reports of compromise or detection to come through. Ten minutes after, the poisoned version is removed. You are unaffected, as it hasn't been two hours since the poisoned version was released yet.