3rd party dependencies update strategy in big projects

I am trying to get some input from people working on large projects with many devs involved, about how do you manage your 3rd party dependencies.
Let me be more specific:
Let’s say that in our organization we are working on several big projects, some are infrastructure projects that are consumed and used by other projects.
Naturally, all projects have 3rd party dependencies and you need to update them at some point.
What is your strategy?
The considerations are (if you have other, please do tell):

  1. security - you don’t want to stay with old versions
  2. same but simply to get the latest bug fixes and updates
  3. you might break often if you keep updating every build for example
  4. when you update your infra projects, you might break your depending projects that are using you as a dependency.

What is your strategy?

  • Do you update each time you build and handle breakage as it occur?
  • Do you have a “scheduled event” for updating libraries? if so, how often?
  • You only update when something demands it (security alert, required feature, another library requires it, etc…)
  • Something else?


the freeCodeCamp repository has a thing called dependapot that makes this checks and open PRs when there is a new version of something available and also makes security alerts

maybe something like that can help you?

very nice, so just to step back from the technical details, and to look at the process.
this means that the update process is automatic and continuous, correct?
and I guess if something breaks then some manual intervention is needed to make this happen, but if all is well, then some build will be green and the PR can be approved.

is this is idea?

I have not used it myself, but the bot can automate a lot, also it says which changes are breaking changes so you can plan accordingly (making the changes in the projects or even avoiding the updates)

also it detects if you update something manually and closes the PR. If you want to see it in action, the freeCodeCamp repository uses it

1 Like