Do you use a bot to manage your project's dependencies?

RE:

Imho, if it's not broken, don't fix it.

Here's what I use for some of my libs: There are bots which only automatically update dependencies when security issues become known (I use Snyk). They create pull requests and you can handle them when you have time. If you have good CI, then every pull request should also automatically be checked (for example on Travis), so that all tests pass. That also means that you need to have extensive unit tests for your library or application.

Show all replies

Enguerran yes, you also need devs who are strict about semver plus downstream tests (what Google does)

Reply to this…

(3 answers) Take me to the question