I've been involved with many different dependency update strategies throughout my career. But none allow me to sleep at night quite so soundly as using Dependabot (or Renovate or other automated dependency update tools).
When it comes to dependency updates, there's a spectrum. On the one hand, you have manual dependency updates, which means updating the dependencies whenever you remember that you have to, or having a fixed schedule in your calendar to remind you to update all of your dependences.
On the other is fully automated dependency updates, so using tools like Dependabot or Renovate to update the dependencies for you.
Update Process Natural Progression
Of course there's the approach of never updating your dependencies or updating your dependencies once a year or once every five years when you remember "Oh shit! I should probably update something".
That's not really a strategy that works long-term and not a strategy that's guaranteed to lead to more secure outcome.
I Choose Dependabot
I have it set to scan all of my dependencies once a week, create pull requests for minor and patch updates and auto merge those if all the pipeline checks pass. For major updates I wanna review the PRs manually, so I just have Dependabot open PRs that I can then review every Monday.
For this to work, you have to have a good test suite and CI and ideally a good way of rolling back pull requests that may break production.
One of the great things about Dependabot is that it supports a bunch of different package managers and technologies. For Codecannon we have Dependabot set up to update our Node packages PHP composer packages, Go packages and even things like docker images and GitHub action versions.
You can of course update dependencies just whenever you remember to, but there are two problems with this.
Security
More and more we're seeing the amount of dependencies in our project grow. I have a little bit of PTSD with dependency bloat, so I try to steer clear of as many dependences as humanly possible, but still, sometimes we have to make trade-offs for productivity and we have to include dependencies in our projects.
But all of those dependencies are attack vectors, and library authors work very hard to keep dependencies up-to-date and fix security vulnerabilities whenever they're discovered.
If you're not updating your dependences regularly you might miss some of those security updates, so - as a rule of thumb - frequent dependency updates are a good idea.
Maybe a caveat here: you may not want to update all of the packages immediately when new versions are released, but there are settings that you can configure, that allow you to specify some parameters around when you might want to update what.
Reduced Workload
The other reason to update your dependencies regularly is doing infrequent updates necessarily increases the amount of work for each update.
Trust me, updating five dependencies each week (which can be done on autopilot most of the time) is a lot simpler than updating 50 once a year - especially when those libraries released major versions and introduced breaking changes.
If a library updates in January to a new major version and it makes some changes to a frequently used API, if you update that library at the end of January you'll be using the new API's throughout the year.
If you wait until December to update, then come December, you'll likely have a whole bunch of code, using an old API that's been deprecated, that you now have to migrate to the new version.
So not only do the PRs get smaller and easier to review, but in all likelihood, you'll also actually reduce the amount of code you have to fix if you're updating your dependencies regularly.
How Do I Do This?
Dependabot is super easy to set up. If you use GitHub, they'll host it for you and they'll let you create the basic config through their UI and any additional configurations can usually be done pretty easily with AI or by just taking an hour to take a look at their documentation and configuring it manually. From there the upgrade process pretty much works by itself.
As I mentioned we have a weekly update schedule every Monday so every Monday we get around 10 to 20 new PRS that run CI and if everything passes and if there are no major updates, they simply get merged into main and we never have to interfere, unless some of the test fail or if there are major updates.
The config looks something like this:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
groups:
production-dependencies:
dependency-type: "production"
development-dependencies:
dependency-type: "development"
And the auto merge instructions can be found here.
If you're gonna do this make sure you have good test coverage and make sure you have smoke tests so in case something gets merged and some critical functionality stops working because of an update, it's easy to roll back the PR. If you're brave, you can also enable automatic rollback with some custom GitHub actions magic.
For us, this process is a lifesaver, because we are very small team and going through 20 different types of updates every week manually is painful especially when you include Docker or github actions that, don't have any way to update dependencies automatically via CLI, but require you review and update everything manually.
That's it! If you've never done it before, do yourself a favour and test out Dependabot (or Renovate if you're looking for a Self-hosted option, or if you're not using GitHub).
It doesn't take much to set up and it saves you a lot of time. If you care about staying up-to-date and saying secure, give automation a try.
