Do you use a bot to manage your project's dependencies?

View other answers to this thread
Start a personal dev blog on your domain for free and grow your readership.

3.4K+ developers have started their personal blogs on Hashnode in the last one month.

Write in Markdown · Publish articles on custom domain · Gain readership on day zero · Automatic GitHub backup and more

Marco Alka's photo

Imho, if it's not broken, don't fix it.

Here's what I use for some of my libs: There are bots which only automatically update dependencies when security issues become known (I use Snyk). They create pull requests and you can handle them when you have time. If you have good CI, then every pull request should also automatically be checked (for example on Travis), so that all tests pass. That also means that you need to have extensive unit tests for your library or application.

Show +2 replies
Enguerran's photo

The very recent eslint-scope adventure shows us that CI and 100% test coverage are not enough to automate dependency updates, even minor versions.

Marco Alka's photo

Enguerran yes, you also need devs who are strict about semver plus downstream tests (what Google does)