Dependency Update Strategies

Cluster focuses on debates around best practices for managing and updating software dependencies, including risks of breaking changes, security vulnerabilities, pinning versions, periodic reviews, and tools like Dependabot.

➡️ Stable 0.6x DevOps & Infrastructure

3,678

Comments

Years Active

Top Authors

#9277

Topic ID

Activity Over Time

2008

2009

2010

2011

2012

2013

2014

2015

2016

226

2017

160

2018

246

2019

244

2020

282

2021

417

2022

562

2023

359

2024

380

2025

526

2026

Top Contributors

jrochkind1 (16) skybrian (14) viraptor (14) lmm (13) greysteil (12)

Keywords

e.g meta.yaml XYZ CI i.e lock.yaml E.g HEAD package.json CD dependencies update dependency security updates version npm security updates bug updating

Sample Comments

mffnbs • Aug 8, 2019 • View on HN

Why are developers mindlessly upgrading major versions of dependencies and expecting everything to be okay?

ahoka • Dec 28, 2023 • View on HN

Years? After one year, something amongst the hundreds of deps will have a horrible security vulnerability and updating means breaking changes.

detaro • Sep 15, 2020 • View on HN

Why do your dependencies break your project all the time that it needs updates itself?

doubleunplussed • Dec 13, 2019 • View on HN

Yeah, I mean what's the alternative? Your code will bit rot if you don't keep up. You don't have a living software project if you don't do this.You should read the release notes of the new version of your dependency, fix any obvious issues from that, see if your tests pass, and wait for bug reports to roll in for non-obvious things not caught by automated tests. Ideally you should do this before the new release of the dependency hits the repos of the distros most of your u

triceratops • Aug 11, 2020 • View on HN

Update all your dependencies periodically - monthly, quarterly, whatever. Freeze dependencies in the meanwhile.

arccy • Aug 19, 2025 • View on HN

No technical solution is going to save you from an upstream going rogue and you blindly updating. The only way is to properly review your dependencies.

superuser2 • Feb 16, 2016 • View on HN

>frequently change without noticeUnless you are doing something so spectacularly, mind-blowingly irresponsible in your dependency management that changes just come in of their own accord (i.e. Go's defaults), no they don't. They change when you choose to vendor the new version or change the pinned version number.It's true that your dependencies won't get security updates until you decide to upgrade, but other people are certainly not writing security updates for your

peterbozso • Dec 19, 2019 • View on HN

You get more benefits from updating your dependencies than "just" bugfixes. There can be performance improvements or security updates in new releases. If you have a proper CI/CD pipeline and test environment(s) in place, it shouldn't be too much work. (Of course it highly depends on your domain.) Then the benefits clearly outweight the extra effort.

necovek • Apr 27, 2024 • View on HN

I don't think it's as simple as that.Some of the modern ecosystems have gone entirely bonkers (think nodejs/npm): hundreds and thousands of dependencies for the simplest of things, basically an unmanageable "supply chain".Sure, we can talk about what's good approach to update and dependency hygiene, how packages should "freeze" their dependencies, how should breaking changes be communicated through version numbers (or not), but we've seen the ri

s_ting765 • Sep 11, 2025 • View on HN

Security/dependancy updates depend solely on the specific maintainers. The platform itself doesn't automatically fix the developer or maintainer lethargy in this regard.