This post is going to be an advocate for managing your project dependencies and ensuring they are up to date. This seems to be a controversial topic, so I suspect we won't all agree. I think it comes down to your personal experience as to how you might view dependencies.

Back in my early career days, I had to deal with fixing dependencies when a security exploit was discovered in one of them. It was a real pain, and I never wanted to do it again under those circumstances: super stressful and time-sensitive. So, I made a firm decision: keeping dependencies up to date was the way to go.

Checkout the Code maintainability capability on the DORA website for a more robust argument.

What is a project dependency?

A dependency, or library, is essentially someone else's code. You would install this via your language's package manager, for example npm (Node), composer (PHP), or pip (Python).

The dependency is likely to give you some functionality that you do not want to write yourself. This could be as grand as a framework, such as React, Django, or Symfony. Or, it could be a dev tool like a code linter, and everything in between.

You essentially outsource the responsibility of logic to another project or engineer to perform a capability for you. In most cases, you will interact with it through its public API or contract within your project.

Before you keep adding dependencies to your project, you may want to consider if it’s better to use a third-party project, or to write it yourself. Whilst it is quicker to install other libraries into your project, in the long run it may actually be harder to support. We delve into this next.

So why do we need to keep dependencies up to date?

It's a valid question. For me, it breaks down as follows:

Security - If a dependency has a security exploit, you want to be able to update it as soon as possible. This is to ensure your project is not vulnerable to attack. The longer you have left the dependency to decay, the harder it could be to update it. For example if there have been major version changes, you might need to refactor your code to integrate with the new version.

Bug fixes - It's likely that your dependency has been worked on by the project owners. Just like your code, the library may have had bug fixes, and performance improvements applied. Your application could benefit from these changes.

Improvements - Maybe the library has had some new features added to it, that could improve your project. By updating frequently, the changeset you need to understand is minimal. You might be able to do small refactors to your existing code to take advantage of the new features.

Compatibility - If you're using a library that is not being updated, you could find yourself in a situation where you're unable to update other dependencies. This could be because the old library version is no longer compatible with the newer versions of other dependencies.

Maintenance - Regular updates prevent the accumulation of technical debt, making it easier to maintain your project in the long run.

How to keep the dependencies up to date?

We have a few options available to us here. As mentioned above, really think about if a dependency is even required.

If you really need the dependency, then you can either update your dependencies manually, or you can automate the process.

I'd recommend automating the process, which takes the burden away from keeping them up to date (almost).

Some options would include:

  • Dependabot - Built within the GitHub product set, this will create pull requests for you to update your dependencies.
  • Renovate - A vendor agnostic solution, that can be used with GitHub, GitLab, Bitbucket, and Azure DevOps.

I've personally only ever worked with Dependabot, and never really had any issues with it.

An example of what a simple Dependabot configuration looks like is as follows. This will monitor your npm dependencies on a weekly schedule and raise pull requests for you, if your dependencies are out of date. Check out the docs to see if your package repository is supported.

# .github/dependabot.yml
version: 2
updates:
  # Maintain dependencies for npm
  - package-ecosystem: 'npm'
    directory: '/'
    schedule:
      interval: 'weekly'
    commit-message:
      prefix: 'npm'

However you update your dependencies, I would recommend at least reviewing the changelog for the updated version. Automation is fantastic, and you can get all your automated tests running, and merge without a human being involved. However, you lose context. You would not find out about new features and improvements unless you review the changelog. It's also a good habit to know what you're installing into your project.

Summary

In this post, we explored the importance of managing and regularly updating your project dependencies. Keeping dependencies up to date is crucial for maintaining security, fixing bugs, accessing new features, ensuring compatibility, and improving performance. Outdated dependencies can lead to significant issues such as security vulnerabilities, compatibility problems, and technical debt.

I highly recommend you get them up to date, and then automate the process for keeping them up to to date. Good luck.

Photo by Mike Hindle on Unsplash

See also

Author Of article : Ben Selby Read full article