Search Hashnode

Search posts, tags, users, and pages

Comment by Marco Alka on "Do you use a bot to manage your project's dependencies?" | Hashnode

Thread

Marco Alka

Software Engineer, Technical Consultant & Mentor

Jul 11, 2018

Imho, if it's not broken, don't fix it.

Here's what I use for some of my libs: There are bots which only automatically update dependencies when security issues become known (I use Snyk). They create pull requests and you can handle them when you have time. If you have good CI, then every pull request should also automatically be checked (for example on Travis), so that all tests pass. That also means that you need to have extensive unit tests for your library or application.

Enguerran

I craft softwares

Jul 11, 2018

Before asking I made up my own conclusion and it is quite the same as yours. That's why I appreciate it.

Mark

formerly known as M

Jul 11, 2018

I was going to say the CI test thing as well, good way.

Enguerran

I craft softwares

Jul 13, 2018

The very recent eslint-scope adventure shows us that CI and 100% test coverage are not enough to automate dependency updates, even minor versions.

Marco Alka

Software Engineer, Technical Consultant & Mentor

Jul 13, 2018

Enguerran yes, you also need devs who are strict about semver plus downstream tests (what Google does)