You have multiple projects going on and if you keep them always update to the last version, sometimes you expend some precious time trying to figure it out what and why your build broke (after the update).
Normally when I update I run npm-update, which it's a package that search for all last versions from your dependencies.
I don't know if this is a good practice, but I like to keep my dependencies always at the last version.
So... how do you manage this?
Top comments (9)
Short answer: dependabot.com/
(Has been acquired by GitHub itself)
Creates a pull request whenever a new version gets released and also gives you an estimated value of compatibility. If you've got CI-Workflows setup in your project, every new PR would trigger your CI-pipeline and if your update broken something, the PR would be marked as failed. I personally never run
npm-updateas it updates all at once and is a pain to pinpoint specific errorsI don't know of any way to handle this without putting your code on a hosting platform like github/gitlab.
I use and have used renovate on both github and gitlab.
Another option is dependabot that Alexander mentions but i don't think they support anything other than github yet.
Good call, completely forgot about renovate! That's an option too
We launched pmbot.io just for that purpose, but it's compatible with more than Npm ! It works with Go and Maven, and you can extend to any language with a simple plugin. You can connect your private Gitlab and Github. The bot can merge automatically updates that pass your CI and you can configure it to execute any action plugin you'd like. You can self host it (docs.pmbot.io/core/installation) or use the cloud version.
I don't. If there is a safe update i just rely on github's drpendabot. In cases where my app is based around a single library like 'gifted chat' ,i would subscribe on stable releases. Then just bump up the latest version in package.json ,test it, if all good then push to production
I just let dependabot do its thing on GitHub since that is where the majority of my projects are anyway. I very rarely manually update all of the dependencies in a project to the latest version because you might accidentally break something it is very easy for there to be incompatibility issues.
In general, I tend not to update packages unless there are vulnerabilities (security exploits, etc) or new features that the project needs, from a business standpoint.
There are way too many updates that provide 0 business value and can cause compatibility issues. IMO its always best to consider the rate of diminishing return in these situations.
Periodically. :)
Its a package: npmjs.com/package/npm-check-updates
Yes! I do this as well, I like that compare to
npm outdatedit also updated your dependencies inpackage.jsonas well and then you just install the packages.