Dependency Management vs Dependency Updates: What’s the Difference?

Table of Contents

It’s not uncommon to hear people refer to updating dependencies as “dependency management”. They’re not wrong; keeping dependencies up to date is a big part of dependency management, but it’s not everything. Read on to learn more about the differences between the two.

What is dependency management?

Let’s first briefly breakdown what dependencies are. 

Dependencies are the relationships between software components that rely on each other to work. You have direct dependencies, where a software component directly calls another, and indirect dependencies, which describes the relationship between software component A and component C that is not called directly by A but instead by a direct dependency of A, component B.

Sounds fairly straightforward, but of course component A could rely on components B, D, E, F, and G, and component B could rely on C and G, and component G can only work with one particular version of component F, and…you get the idea. These relationships can get very complicated. Moreover, these components are usually projects managed by other developers, meaning that there is no control over how their newer versions will be built or function.

Dependency management involves selecting, identifying, or defining all of these different relationships and resolving the conflicts that arise between them. Some minimal amount of dependency management will be done every time a new component is added to a project and every time an existing component is updated.

Some specific dependency management tasks include:

  • Identifying all external components that a project relies on
  • Choosing appropriate components
  • Defining components in a configuration file
  • Ensuring the correct versions of components are retrieved
  • Recognizing constraints in compatibility between particular versions of components
  • Resolving compatibility conflicts between components
  • Keeping dependencies up to date

For a deeper look at dependency management, check out this blog.

Obviously, some theoretical static software project that’s working just fine has no need for dependency management once it’s built. But in reality, nearly all projects will be expanded upon at some point, or at least updated for security purposes.

Which leads us to dependency updates.

Dependency updates

Software will need to be updated. It’s a simple fact of life and is the main reason solid dependency management throughout a project’s entire lifecycle is so necessary. 

But updating isn’t always easy. As new versions of each component come out, perhaps to add new functionality or security patches, the relationships between multiple other components can make the updating of one component cause another component to fail to work. 

And perhaps updating that other component would fix the first problem but create a new problem with an entirely different component! This is referred to as dependency hell, and even fairly small projects can find themselves in the depths of it.

So how are dependency updates managed?

Managing dependency updates

While small projects can conceivably get away with manual updates, larger projects almost certainly cannot. The absolute worst way to deal with managing updates is to not update at all. Don’t do that. That means you are choosing to take on unnecessary technical debt that you really don’t need. (You can read more about dependency management and technical debt here.)

Here are some ways to manage dependency updates without getting sent straight to dependency hell:

  • Update early. With new projects, set yourself to update frequently—even if not strictly necessary to the health of your project—so components don’t end up many versions behind by the time an update is no longer optional.
  • Update automatically. Use an automated dependency updating tool (we like our own open source tool, Mend Renovate) to group and pull updates on a schedule that works for you.
  • Start small on big projects. If you’ve got a project that’s seriously behind in updates, check out the tips in this blog for getting going.

tl;dr

Updating dependencies is just one aspect of dependency management, albeit a very important one. Dependency management also includes keeping track of which components go into your projects, their versions, and their reliance on other components as well as resolving conflicts between components.

Automate dependency updates

Recent resources

Dependency Management: Protecting Your Code

Learn how to protect your application’s code with dependency management, and why automation is critical for effective dependency updates.

Read more

Getting Started with Software Dependency Management

Discover the benefits of keeping your software dependencies up-to-date. Learn how to manage dependencies effectively.

Read more

Critical Backdoor Found in XZ Utils (CVE-2024-3094) Enables SSH Compromise 1

Discover how CVE-2024-3094 affects XZ Utils and enables SSH compromise. Get insights on detection, mitigation, and system security.

Read more