Ask HN: Does frequently upgrading dependencies add real value to a product?
5 points by chaifeng 21 hours ago
Dependency upgrades are a routine part of maintaining software projects.
I’m curious to hear how different teams and individuals approach this. How do you handle frequent upgrades? Do you see it as essential, or do you take a different approach?
What has your experience been?
1. Even if you don't want to always use the latest dependencies, having the capability in reserve is important. When some emergency need pops up (e.g. massive security issue) you don't want to be trapped by a wall of your own making. So you'll at least need a pattern of prototyping and testing builds with newer dependencies, even if the builds aren't released. (Discover how to make your code forward-compatible before it becomes an emergency.)
2. As a general rule, newer means fewer security vulnerabilities, particularly if the project is careful about introducing new features versus bug-fixes. Not always, and maybe you don't want super-bleeding edge releases, but mostly.
3. I've worked in some areas with bureaucratic or governmental impediments, where you want to avoid things that might trigger re-testing or re-certification. That's a reason not to upgrade much, but it does mean you need to actually read the changelogs etc. and have some sort of process for noticing when something is important enough.