When it comes to bugs in your dependencies, there are two main areas that represent a cause for concern – and, to a certain extent, these are two warring forces that can make it difficult for you to find a strong solution.
Dependency Update Issues
On the one hand, existing bugs in indirect dependencies are the more insidious force. You may not even be aware that they are there, even if your users felt the consequences. In many instances, they can be difficult to identify until a patch is released – at which point, the second issue can (and does) arise.
When a benign patch is released to address a dependency bug, you can become the update’s unintended victim. Builds can be broken, and projects can be derailed, which results in significant downtime as you work to rectify the issue brought on by the latest update – or, if you have been stalling for a while, multiple updates descending on your dependencies at once.
Modernise npm Management
Preventing automatic updates from derailing your projects is an excellent way of ensuring that everything can continue running as it should.
Locking files will prevent this from happening and ensure that the entire team is working on the same version of a dependency – although it will prevent you from identifying any missed bugs and patching them before they cause an issue on your end.
The secret to ensuring efficient dependency management is to follow an automated npm update process. As an industry tool, automated npm package updates are relatively new. Still, they offer a much more reliable, labor-saving, and time-efficient alternative to manually scanning, extracting, and implementing dependency updates from third parties.
Rather than manually trawling for updates and putting each one through by hand, an automated process can organize updates to ensure that issues are addressed before they derail the project.
The Bottom Line
The issue is clear. Bugs cannot be left to fester, but patch releases represent an entirely new issue to your builds. A solution needs to be in a place that effectively manages updates and patch releases as and when they arise, without rendering you responsible for addressing them extemporaneously.
Choosing to update dependencies automatically will often entail some unwanted – and time-wasting – side effects. Whether you choose to delay updates entirely until you are operating with old vulnerabilities in one camp and a slew of pending updates in the other, or invest too much time into testing new updates (or mitigating the impact of one that breaks your build), a manual approach is not only outdated but highly inefficient.
Taking a more modern approach to npm dependency update management will ensure that you can stay on top of patches and updates without investing hours into the process. By putting a trustworthy testing process in place for each file, you can deal with Pull Requests as and when they arise – and, by extension, address vulnerabilities before they impact your build.
If not, you risk the almost-inevitable run-in with a bug or vulnerability and the downtime associated with manually trawling through old updates until the issue can be rectified.
Last Updated on February 3, 2021.