Which sequence best describes the typical workflow for handling a new vulnerability in dependencies?

Vulnerability response for dependencies is a structured flow: detect the issue, assess its severity, upgrade to a patched version, test to ensure compatibility, communicate the change if appropriate, and monitor for further advisories. Detecting through scanners or reports flags the problem, triage evaluates impact and exploitability so you know how urgently to act, and upgrading to the fixed version removes the vulnerable code from your supply chain. Testing verifies that the upgrade doesn’t break your application or its integrations, and publishing an advisory or notifying downstream users helps reduce risk across all consumers. Finally, ongoing monitoring keeps you informed about new fixes or related advisories. This approach is better because it quickly reduces exposure with a safe, validated fix, maintains system stability through testing, and ensures stakeholders are informed. Other paths fall short: patching the dependency’s code directly and ignoring the notification step isn’t sustainable or transparent; reverting to an older version or disabling features delays remediation and can disrupt functionality; and treating it as an internal pen-test with public exploit details is neither standard practice nor advisable for supply-chain vulnerabilities.