I continue to merge dependabot for several years, so blog some knowledge.
Introduction
There are three kinds of libraries, framework, normal library, development tool.
I tried to read all CHANGE-LOG and code diff for all pull request generated by dependabot.
My goal is understanding trends what kind of changes are made.
Diff List
Here is a list of the frequently changed.
- add test
- add
CIconfiguration - update documents
- fix naming
- refactor code and fix arguments
- add new feature
My project uses major libraries, so there is a lot of conservative chanages and security fix.
refactor code and fix arguments will create a bug, so you should read CHANGE-LOG carefully.
In Framework Case
Like Rails, Laravel.
We MUST update after reading RELEASE-NOTE.
When minor updates (e.g.: ver5.1 → ver5.2), we don't need to be nervous.
When major updates (e.g.: ver5.5 → ver6), it needs to verify enough in a staging environment.
Nevertheless, there are a few bugs, so we need to verify and verify and verify.
It's easy to verify if there are static analysis or test codes.
In Normal Case
Like Faraday, Devise.
If there are no breaking changes, you can merge immediately.
In my case, there are no problems.
It's the same as framework case, you should add static analysis or test codes.
In Development Tool
Like Rubocop, EsLint.
You can merge without thinking.
We should add CI configuration tightly.
In Rubocop case, config format change frequently, so we should update regularly.
Conclusion
It's important to do the obvious thing.
It's hard to update library version, so we should do regularly.
Oldest comments (0)