A reasonably large Node application will have 100's of dependencies. Keeping them all updated is a 🧹chore a developer needs to perform at some poin...
For further actions, you may consider blocking this person and/or reporting abuse
Automatically updating dependencies can be a bad practice but it doesn't have to be.
You are right. Having old dependencies can be bad. Doing the work takes time.
Some pitfalls can be:
1) You don't have any tests and you don't even know that your app/website is broken. Just because something builds does not mean that it works.
2) Testing the client code can be hard. You need to run e2e tests
3) If it is only about security problems then you should use
npm audit
.4) Dependencies can introduce breaking changes and you don't even know it.
So yeah make sure you have a really good testing scenario before you automate dependency updating.
Great tip, this is awesome!
Only thing I will suggest is that integration or e2e tests might be better for this purpose, since unit tests often mock out their dependencies.
GitHub also merged in Dependabot, which does the same thing, but also opens a PR for new updates.
I'm second that tests only cover every scenerio in an ideal world. You can auto update your deps, but I recommend to do that in dev environment. Never tinker with production at first.
Yes, and make sure you have some way to revert to older versions in case something breaks up (or be ready to spend a good amount to time to fix your software).
Nice Read @dennismphil .
This might be a problem with dependencies that their updates introduces breaking changes.