Getting Started with Software Dependency Management

Dependency management is a broad topic encompassing, among other things, keeping an inventory of dependencies, removing unused dependencies, and fixing conflicts between dependencies. In this article, we will focus on one large part of software dependency management that devs can do easily and with great results: updating dependencies.

Why you should keep your dependencies up to date

Most of us are usually happy to have the latest updates to our components because it means we also have the latest features, but there’s more to gain from regular dependency updating than new features. Keeping packages up-to-date means improved development velocity in both the near and long term. Over time, outdated dependencies accrue technical debt that only gets harder to reduce as time goes on. There are security concerns to consider as well. If a critical vulnerability is found in a package that you’re many versions behind on, and only fixed with the latest version which has conflicts with the rest of your codebase, you may have a lot of work (and time) ahead of you before that vulnerability can be patched.

Why dependency management gets ignored

If updating dependencies is such a great thing, why does it sometimes live permanently on the backburner? Sometimes the pace of development is so great that devs simply don’t find the time for it and in the chaos it can be difficult to explain to a boss why you’re “fixing” something that’s functioning just fine (fine for now, anyway). The longer it goes, the harder an update can be to make, which then in turn makes putting it off even longer the easiest choice, if it’s still a choice that’s possible to make.

OK I’m convinced. How do I get started?

Here are some tips for motivated developers who want to make regular dependency updates as painless as possible:

1. Start small. Getting started is the hardest part–it only gets easier, promise–so start small enough that you can handle the initial load entirely on your own.
2. Spread the good news to everyone else. Your teammates will likely notice and appreciate your initial effort and embrace the new way of doing things. Other teams will see the value as well. Have a talk with management so they know what you’re doing and why it’s important.
3. Automate and build into your pipeline. There are free tools available through both GitHub and BitBucket that automatically locate outdated dependencies and create pull requests for updates. Some tools, like Mend Renovate Community, have features that group pull requests by type and rate the likelihood a given update will merge without any problems, so you can spend less time poring over release notes.
4. Start new projects with dependency updating already in mind. If you’re starting something fresh, put the effort in to get the tools and structure in place to keep dependencies up to date from the get-go. Who knows, maybe in seven years your app will be the “old app” that’s still so up to date no one is afraid to touch it.

Hopefully you find these tips helpful. We have found that the minor pain of introducing regular dependency updates is more than worth the gains of reduced technical debt, new features, and increased security, and we think you will, too.

Until next time, stay up to date, friends!

Meet The Author

Rhys Arkins

Rhys Arkins is Vice President of Product Management, responsible for developer solutions at Mend.io. He was the founder of Renovate Bot – an automated tool for software dependency updating, which was acquired by Mend.io in 2019. Rhys is particularly fond of automation and a firm believer in never sending humans to do a machine’s job.