Open-source vulnerabilities are a constant challenge, but fixing them isn’t as simple as just applying an update. In reality, security patches often introduce breaking changes, trigger dependency conflicts, or disrupt legacy systems in ways that teams don’t anticipate. We’ll discuss strategies to manage these challenges so that the fix doesn’t become a source of frustration—the "F-word" that no one wants to say.

In this talk, we’ll explore why vulnerability remediation is harder than it looks, breaking down real-world examples of how upgrades go wrong. From API deprecations to misleading semantic versioning, we’ll highlight common pitfalls that make security fixes riskier than expected. We’ll also dive into transitive dependencies—one of the biggest hidden pain points in modern software development—and how they complicate even straightforward updates.

But fixing vulnerabilities doesn’t have to be a nightmare. We’ll discuss practical strategies for tackling remediation more effectively, including when to backport patches, how to handle dependency overrides, and ways to document unresolved risks without creating panic. We’ll also cover frameworks for prioritizing fixes, improving security-development collaboration, and leveraging testing as a safety net.

Attendees will leave with a better understanding of why fixing security issues is so difficult—and, more importantly, how to make the process smoother, reducing friction and wasted effort along the way.