When working with dependencies in dev mode, I use mr-developer which allows to use a given git tag or branch of a dependency directly into the project instead of an actual NPM package.
Thanks Eric, I did not know aboyut python/mr.developer. We should take a look at nodejs/mr.developer to adapt it to our development flow.
Even if it did not answer the question in application maintenance: when and how do you update your dependencies?
And corollary: what should be the commit message prefix? fix? feat? core? I vote feat as it change production code.