The way that i sort of split that difference in practice is you really want to make sure that it's not just about regularly up grading. Your library upgrade work should always be, i am upgrading this library now. And by the time you're upgrading the one library that really does have a big breakingapi change, it's not actually that hard, as long as everything else is already up to date. If you're not upgrading all the super easy, almost free, like just hit the green button on the p r, that's working. Most attackers who are doing things with supply chan attacks aren't all that clever,. and so they will just end up trying to pop your c i