Dependency Management | Security & Updates
Keep dependencies healthy and secure with strategic updates and vulnerability tracking. GitScrum helps plan regular dependency reviews as maintenance work.
8 min read
Dependencies are both assets and liabilities. GitScrum helps teams track dependency work and maintain healthy package ecosystems.
Dependency Strategy
Update Philosophy
DEPENDENCY UPDATE APPROACH:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β UPDATE TYPES: β
β β
β SECURITY PATCHES: β
β Priority: Immediate β
β Example: lodash 4.17.20 β 4.17.21 (CVE fix) β
β Timeline: Same day or next business day β
β Process: Fast-track, minimal testing β
β β
β MINOR/PATCH UPDATES: β
β Priority: Regular maintenance β
β Example: react 18.2.0 β 18.2.1 β
β Timeline: Weekly or bi-weekly batch β
β Process: Normal testing, grouped updates β
β β
β MAJOR UPDATES: β
β Priority: Planned β
β Example: react 17 β 18 β
β Timeline: Dedicated sprint or epic β
β Process: Full testing, migration guide review β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ANTI-PATTERNS: β
β β
β β "Update all the things" randomly β
β β Never update (version freeze) β
β β Major updates without planning β
β β Ignoring security alerts β
β β
β β
Regular, small, tested updates β
β β
Prioritize security β
β β
Plan major migrations β
β β
Automate where possible β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Updates
Vulnerability Management
SECURITY VULNERABILITY WORKFLOW:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β VULNERABILITY DETECTED: β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β π΄ HIGH: lodash < 4.17.21 ββ
β β CVE-2021-23337 ββ
β β Prototype pollution vulnerability ββ
β β Fix: Update to 4.17.21+ ββ
β β Affected: package-lock.json ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β SEVERITY RESPONSE: β
β β
β CRITICAL/HIGH: β
β β’ Assess: Is it exploitable in our usage? β
β β’ If yes: Fix immediately (same day) β
β β’ If no: Fix within 1 week β
β β’ Create urgent task in GitScrum β
β β
β MEDIUM: β
β β’ Fix within sprint or next sprint β
β β’ Include in regular maintenance β
β β
β LOW: β
β β’ Include in next dependency batch β
β β’ Don't ignore, but lower priority β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β GITSCRUM SECURITY TASK: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β π΄ SEC-123: Update lodash (CVE-2021-23337) ββ
β β ββ
β β Priority: Critical ββ
β β Labels: security, dependency ββ
β β Due: Today ββ
β β ββ
β β CVE: CVE-2021-23337 ββ
β β Severity: High ββ
β β Current: 4.17.20 ββ
β β Target: 4.17.21 ββ
β β Risk: Prototype pollution ββ
β β ββ
β β β Update dependency ββ
β β β Run tests ββ
β β β Deploy ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Regular Maintenance
Dependency Review Process
MONTHLY DEPENDENCY REVIEW:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β DEPENDENCY REVIEW TASK (Monthly): β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β MAINT-Q1-02: February Dependency Review ββ
β β ββ
β β Checklist: ββ
β β β Run npm audit / yarn audit ββ
β β β Review GitHub Dependabot alerts ββ
β β β Check for available minor updates ββ
β β β Review deprecated packages ββ
β β β Update batch of low-risk packages ββ
β β β Document any deferred updates ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β REVIEW CHECKLIST: β
β β
β 1. SECURITY β
β npm audit / snyk test β
β Fix all high/critical β
β Plan medium/low β
β β
β 2. OUTDATED PACKAGES β
β npm outdated β
β Identify packages > 2 major versions behind β
β Plan updates for critical packages β
β β
β 3. DEPRECATED PACKAGES β
β Check for deprecation warnings β
β Find replacements for deprecated β
β β
β 4. UNUSED PACKAGES β
β Check for installed but unused β
β Remove to reduce attack surface β
β β
β 5. LICENSE AUDIT β
β Verify licenses are compatible β
β Flag any GPL in proprietary code β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Automated Updates
AUTOMATION SETUP:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β DEPENDABOT / RENOVATE: β
β β
β Configuration: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β # renovate.json ββ
β β { ββ
β β "extends": ["config:base"], ββ
β β "schedule": ["on monday"], ββ
β β "packageRules": [ ββ
β β { ββ
β β "matchUpdateTypes": ["patch", "minor"], ββ
β β "groupName": "minor-updates", ββ
β β "automerge": true ββ
β β }, ββ
β β { ββ
β β "matchUpdateTypes": ["major"], ββ
β β "labels": ["major-update"], ββ
β β "automerge": false ββ
β β } ββ
β β ] ββ
β β } ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β STRATEGY: β
β β
β PATCH UPDATES: β
β Auto-merge if tests pass β
β β
β MINOR UPDATES: β
β Group into weekly PR β
β Review + merge after tests β
β β
β MAJOR UPDATES: β
β Individual PR β
β Require manual review β
β Create GitScrum task β
β β
β SECURITY UPDATES: β
β Immediate PR regardless of type β
β High priority review β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Major Version Upgrades
Planning Major Updates
MAJOR UPGRADE PLANNING:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β EXAMPLE: React 17 β React 18 β
β β
β ASSESSMENT PHASE: β
β β
β 1. Read migration guide β
β 2. Identify breaking changes affecting us β
β 3. Check dependency compatibility β
β 4. Estimate effort β
β 5. Identify risks β
β β
β GITSCRUM EPIC: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β UPGRADE-001: React 18 Migration ββ
β β ββ
β β Summary: ββ
β β Upgrade from React 17 to React 18 ββ
β β ββ
β β Scope: ββ
β β β’ 45 components affected ββ
β β β’ 3 incompatible dependencies ββ
β β β’ New features to leverage ββ
β β ββ
β β Estimate: 2 sprints ββ
β β ββ
β β Tasks: ββ
β β β Update react and react-dom ββ
β β β Update testing-library ββ
β β β Replace deprecated lifecycle methods ββ
β β β Update event handling ββ
β β β Address strict mode warnings ββ
β β β Update dependent packages ββ
β β β Full regression testing ββ
β β β Staged rollout ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β APPROACH: β
β β’ Update in feature branch β
β β’ Fix issues incrementally β
β β’ Test thoroughly β
β β’ Deploy behind feature flag if possible β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Dependency Health
Monitoring Package Health
DEPENDENCY HEALTH INDICATORS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β HEALTHY DEPENDENCY: β
β β
Active maintenance (commits within 3 months) β
β β
Responsive to issues β
β β
Timely security patches β
β β
Clear versioning (semver) β
β β
Good documentation β
β β
Reasonable install size β
β β
β UNHEALTHY DEPENDENCY: β
β β No commits in > 1 year β
β β Open security issues β
β β Many unaddressed issues/PRs β
β β Deprecated or archived β
β β Single maintainer (bus factor) β
β β Massive transitive dependencies β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β DEPENDENCY HEALTH AUDIT: β
β β
β Package Health Last Update Issues β
β ββββββββββββββ ββββββ βββββββββββ ββββββ β
β react π’ Active Well-maintained β
β lodash π‘ Stable Low activity β
β old-util-lib π΄ 2 years ago Deprecated β
β β
β ACTIONS FOR UNHEALTHY: β
β β’ Find alternative package β
β β’ Fork and maintain (last resort) β
β β’ Replace with custom implementation β
β β’ Accept risk (document decision) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Lock Files
Managing Lock Files
LOCK FILE BEST PRACTICES:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β WHY LOCK FILES MATTER: β
β β
β Without lock file: β
β "Works on my machine" β "Works in CI" β "Works in prod" β
β β
β With lock file: β
β Exact same versions everywhere β
β Reproducible builds β
β No surprise updates β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β RULES: β
β β
β 1. ALWAYS COMMIT LOCK FILE β
β package-lock.json (npm) β
β yarn.lock (yarn) β
β composer.lock (PHP) β
β Gemfile.lock (Ruby) β
β β
β 2. USE CI INSTALL COMMANDS β
β npm ci (not npm install) β
β yarn --frozen-lockfile β
β composer install (not update) β
β β
β 3. UPDATE INTENTIONALLY β
β Run npm update when you mean to β
β Review lock file changes β
β Don't ignore lock file diffs β
β β
β 4. RESOLVE CONFLICTS CAREFULLY β
β Delete and regenerate if complex β
β Test after resolving β
β β
β GITSCRUM: β
β Lock file updates should be in dependency tasks β
β Not hidden in feature work β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ