Recently, I spent some time cleaning up security vulnerabilities in one of my side projects.
It started when GitHub Dependabot flagged multiple high-severity issues across both frontend and backend dependencies — including packages like axios, react-router, cloudinary, qs, and more.
At first glance, it’s easy to just hit “merge all” or ignore these alerts altogether.
But instead of doing blind upgrades, I decided to slow down and handle things properly.
What I actually did
Reviewed each Dependabot PR one by one
Prioritized high-risk and direct dependencies first
Merged fixes incrementally instead of everything at once
Checked changelogs to avoid breaking changes
After updating the dependencies, I verified the application on the live deployment to make sure everything was still working as expected — no broken auth, no routing issues, no surprises.
Result
The app is live and running smoothly after the updates:
👉 https://chat-app-one-sable-62.vercel.app/login
This wasn’t flashy work. No new UI. No new features.
But keeping dependencies secure is a core part of building real, reliable applications, especially when the project is already live.
Tech stack
- React
- Node.js
- Express
- Socket.io
- GitHub (Dependabot)
- Vercel
If you’re working on side projects, don’t ignore security alerts.
Small fixes today can save you from big problems later.
Top comments (0)