Dependency management is a broad topic encompassing, among other things, keeping an inventory of dependencies, removing unused dependencies, and fixing conflicts between dependencies. In this article, we will focus on one large part of software dependency management that devs can do easily and with great results: updating dependencies.
Most of us are usually happy to have the latest updates to our components because it means we also have the latest features, but there’s more to gain from regular dependency updating than new features. Keeping packages up-to-date means improved development velocity in both the near and long term. Over time, outdated dependencies accrue technical debt that only gets harder to reduce as time goes on. There are security concerns to consider as well. If a critical vulnerability is found in a package that you’re many versions behind on, and only fixed with the latest version which has conflicts with the rest of your codebase, you may have a lot of work (and time) ahead of you before that vulnerability can be patched.
If updating dependencies is such a great thing, why does it sometimes live permanently on the backburner? Sometimes the pace of development is so great that devs simply don’t find the time for it and in the chaos it can be difficult to explain to a boss why you’re “fixing” something that’s functioning just fine (fine for now, anyway). The longer it goes, the harder an update can be to make, which then in turn makes putting it off even longer the easiest choice, if it’s still a choice that’s possible to make.
Here are some tips for motivated developers who want to make regular dependency updates as painless as possible:
Hopefully you find these tips helpful. We have found that the minor pain of introducing regular dependency updates is more than worth the gains of reduced technical debt, new features, and increased security, and we think you will, too.
Until next time, stay up to date, friends!