How consistently does your organization update dependencies?

When the software you use releases a new version, how does your organization going about upgrading— Whether it's your core framework or smaller dependencies?

How long do you typically go before you get on the latest versions?

Comments

[Yogesh Singh]

We do that rarely, I mean until and unless there's no major bug or feature update that we need.

[Brian Schalme]

At my most recent client engagement, I would check every couple weeks. As the Lead Developer, I would have the development team update the dependencies the next time the code was opened up for change.

[Kedar Joshi]

In my organization, the answer varies from project to project. Some of the projects haven't had a dependency update since last 2 years and they are still in active development.

Some projects update their dependencies on hourly basis i.e. as soon as it's released. This is possible because these projects have a bleeding-edge branch which runs CI jobs with latest versions of all dependencies.

[Natasha Whitter]

We don't have a process, but I tend to do most of the dependencies/framework updates (I dislike being too many versions down from the newest build). Usually, I do this every couple of months.

[Jesse M. Holmes]

I don't understand the question. 😂

[Alan Barr]

Usually never unless someone is passionate about it. I watch this video and I lament that reaching this nirvana is unlikely. youtube.com/watch?v=j6ow-UemzBc

[Oles Maiboroda]

We've found a sweet spot in monthly updates for mid-sized, frontend projects.
I wrote a small post about it last week: dev.to/omaiboroda/try-to-update-yo...

[Vladimir Jovanović]

For the part of the project that I'm working on - every day. I've made it my morning routine: I make coffee, sit at the computer and then check for updates for 97 NPM packages in our package.json.

• Patch versions are updated without additional checks
• Minor versions are run through the testing framework and build process
• For major versions, I always check the changelog and breaking changes on Github. These are not resolved routinely, so I create an issue and resolve it as soon as time permits.

I check and update package.json with a very convenient script npm-check-updates.
So far, this approach worked great, since we never had to worry about out of date dependencies.

When you do this regularly, there is no headache afterwards ;)

[Ben Greenberg]

Dependabot review and merge daily. We then make new releases of our open-source SDKs and tools as needed, not daily, unless it's a major vulnerability issue then it'll get a release cut asap.

[Alex Lohr]

We have a renovate bot to do that for us... unless something breaks, like for example enzyme compatibility with react 17 (we still have some old components using it for testing, but we'll be removing both them and enzyme at some point, but currently it's a blocker). So the longest should be probably 1-2 months.