8 min read • Guide 760 of 877
Dependency Management Best Practices
Dependencies are both assets and liabilities. GitScrum helps teams track dependency work and maintain healthy package ecosystems.
Dependency Strategy
Update Philosophy
DEPENDENCY UPDATE APPROACH:
┌─────────────────────────────────────────────────────────────┐
│ │
│ UPDATE TYPES: │
│ │
│ SECURITY PATCHES: │
│ Priority: Immediate │
│ Example: lodash 4.17.20 → 4.17.21 (CVE fix) │
│ Timeline: Same day or next business day │
│ Process: Fast-track, minimal testing │
│ │
│ MINOR/PATCH UPDATES: │
│ Priority: Regular maintenance │
│ Example: react 18.2.0 → 18.2.1 │
│ Timeline: Weekly or bi-weekly batch │
│ Process: Normal testing, grouped updates │
│ │
│ MAJOR UPDATES: │
│ Priority: Planned │
│ Example: react 17 → 18 │
│ Timeline: Dedicated sprint or epic │
│ Process: Full testing, migration guide review │
│ │
│ ─────────────────────────────────────────────────────────── │
│ │
│ ANTI-PATTERNS: │
│ │
│ ❌ "Update all the things" randomly │
│ ❌ Never update (version freeze) │
│ ❌ Major updates without planning │
│ ❌ Ignoring security alerts │
│ │
│ ✅ Regular, small, tested updates │
│ ✅ Prioritize security │
│ ✅ Plan major migrations │
│ ✅ Automate where possible │
└─────────────────────────────────────────────────────────────┘
Security Updates
Vulnerability Management
SECURITY VULNERABILITY WORKFLOW:
┌─────────────────────────────────────────────────────────────┐
│ │
│ VULNERABILITY DETECTED: │
│ │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ 🔴 HIGH: lodash < 4.17.21 ││
│ │ CVE-2021-23337 ││
│ │ Prototype pollution vulnerability ││
│ │ Fix: Update to 4.17.21+ ││
│ │ Affected: package-lock.json ││
│ └─────────────────────────────────────────────────────────┘│
│ │
│ SEVERITY RESPONSE: │
│ │
│ CRITICAL/HIGH: │
│ • Assess: Is it exploitable in our usage? │
│ • If yes: Fix immediately (same day) │
│ • If no: Fix within 1 week │
│ • Create urgent task in GitScrum │
│ │
│ MEDIUM: │
│ • Fix within sprint or next sprint │
│ • Include in regular maintenance │
│ │
│ LOW: │
│ • Include in next dependency batch │
│ • Don't ignore, but lower priority │
│ │
│ ─────────────────────────────────────────────────────────── │
│ │
│ GITSCRUM SECURITY TASK: │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ 🔴 SEC-123: Update lodash (CVE-2021-23337) ││
│ │ ││
│ │ Priority: Critical ││
│ │ Labels: security, dependency ││
│ │ Due: Today ││
│ │ ││
│ │ CVE: CVE-2021-23337 ││
│ │ Severity: High ││
│ │ Current: 4.17.20 ││
│ │ Target: 4.17.21 ││
│ │ Risk: Prototype pollution ││
│ │ ││
│ │ ☐ Update dependency ││
│ │ ☐ Run tests ││
│ │ ☐ Deploy ││
│ └─────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────┘
Regular Maintenance
Dependency Review Process
MONTHLY DEPENDENCY REVIEW:
┌─────────────────────────────────────────────────────────────┐
│ │
│ DEPENDENCY REVIEW TASK (Monthly): │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ MAINT-Q1-02: February Dependency Review ││
│ │ ││
│ │ Checklist: ││
│ │ ☐ Run npm audit / yarn audit ││
│ │ ☐ Review GitHub Dependabot alerts ││
│ │ ☐ Check for available minor updates ││
│ │ ☐ Review deprecated packages ││
│ │ ☐ Update batch of low-risk packages ││
│ │ ☐ Document any deferred updates ││
│ └─────────────────────────────────────────────────────────┘│
│ │
│ REVIEW CHECKLIST: │
│ │
│ 1. SECURITY │
│ npm audit / snyk test │
│ Fix all high/critical │
│ Plan medium/low │
│ │
│ 2. OUTDATED PACKAGES │
│ npm outdated │
│ Identify packages > 2 major versions behind │
│ Plan updates for critical packages │
│ │
│ 3. DEPRECATED PACKAGES │
│ Check for deprecation warnings │
│ Find replacements for deprecated │
│ │
│ 4. UNUSED PACKAGES │
│ Check for installed but unused │
│ Remove to reduce attack surface │
│ │
│ 5. LICENSE AUDIT │
│ Verify licenses are compatible │
│ Flag any GPL in proprietary code │
└─────────────────────────────────────────────────────────────┘
Automated Updates
AUTOMATION SETUP:
┌─────────────────────────────────────────────────────────────┐
│ │
│ DEPENDABOT / RENOVATE: │
│ │
│ Configuration: │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ # renovate.json ││
│ │ { ││
│ │ "extends": ["config:base"], ││
│ │ "schedule": ["on monday"], ││
│ │ "packageRules": [ ││
│ │ { ││
│ │ "matchUpdateTypes": ["patch", "minor"], ││
│ │ "groupName": "minor-updates", ││
│ │ "automerge": true ││
│ │ }, ││
│ │ { ││
│ │ "matchUpdateTypes": ["major"], ││
│ │ "labels": ["major-update"], ││
│ │ "automerge": false ││
│ │ } ││
│ │ ] ││
│ │ } ││
│ └─────────────────────────────────────────────────────────┘│
│ │
│ STRATEGY: │
│ │
│ PATCH UPDATES: │
│ Auto-merge if tests pass │
│ │
│ MINOR UPDATES: │
│ Group into weekly PR │
│ Review + merge after tests │
│ │
│ MAJOR UPDATES: │
│ Individual PR │
│ Require manual review │
│ Create GitScrum task │
│ │
│ SECURITY UPDATES: │
│ Immediate PR regardless of type │
│ High priority review │
└─────────────────────────────────────────────────────────────┘
Major Version Upgrades
Planning Major Updates
MAJOR UPGRADE PLANNING:
┌─────────────────────────────────────────────────────────────┐
│ │
│ EXAMPLE: React 17 → React 18 │
│ │
│ ASSESSMENT PHASE: │
│ │
│ 1. Read migration guide │
│ 2. Identify breaking changes affecting us │
│ 3. Check dependency compatibility │
│ 4. Estimate effort │
│ 5. Identify risks │
│ │
│ GITSCRUM EPIC: │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ UPGRADE-001: React 18 Migration ││
│ │ ││
│ │ Summary: ││
│ │ Upgrade from React 17 to React 18 ││
│ │ ││
│ │ Scope: ││
│ │ • 45 components affected ││
│ │ • 3 incompatible dependencies ││
│ │ • New features to leverage ││
│ │ ││
│ │ Estimate: 2 sprints ││
│ │ ││
│ │ Tasks: ││
│ │ ☐ Update react and react-dom ││
│ │ ☐ Update testing-library ││
│ │ ☐ Replace deprecated lifecycle methods ││
│ │ ☐ Update event handling ││
│ │ ☐ Address strict mode warnings ││
│ │ ☐ Update dependent packages ││
│ │ ☐ Full regression testing ││
│ │ ☐ Staged rollout ││
│ └─────────────────────────────────────────────────────────┘│
│ │
│ APPROACH: │
│ • Update in feature branch │
│ • Fix issues incrementally │
│ • Test thoroughly │
│ • Deploy behind feature flag if possible │
└─────────────────────────────────────────────────────────────┘
Dependency Health
Monitoring Package Health
DEPENDENCY HEALTH INDICATORS:
┌─────────────────────────────────────────────────────────────┐
│ │
│ HEALTHY DEPENDENCY: │
│ ✅ Active maintenance (commits within 3 months) │
│ ✅ Responsive to issues │
│ ✅ Timely security patches │
│ ✅ Clear versioning (semver) │
│ ✅ Good documentation │
│ ✅ Reasonable install size │
│ │
│ UNHEALTHY DEPENDENCY: │
│ ❌ No commits in > 1 year │
│ ❌ Open security issues │
│ ❌ Many unaddressed issues/PRs │
│ ❌ Deprecated or archived │
│ ❌ Single maintainer (bus factor) │
│ ❌ Massive transitive dependencies │
│ │
│ ─────────────────────────────────────────────────────────── │
│ │
│ DEPENDENCY HEALTH AUDIT: │
│ │
│ Package Health Last Update Issues │
│ ────────────── ────── ─────────── ────── │
│ react 🟢 Active Well-maintained │
│ lodash 🟡 Stable Low activity │
│ old-util-lib 🔴 2 years ago Deprecated │
│ │
│ ACTIONS FOR UNHEALTHY: │
│ • Find alternative package │
│ • Fork and maintain (last resort) │
│ • Replace with custom implementation │
│ • Accept risk (document decision) │
└─────────────────────────────────────────────────────────────┘
Lock Files
Managing Lock Files
LOCK FILE BEST PRACTICES:
┌─────────────────────────────────────────────────────────────┐
│ │
│ WHY LOCK FILES MATTER: │
│ │
│ Without lock file: │
│ "Works on my machine" ≠ "Works in CI" ≠ "Works in prod" │
│ │
│ With lock file: │
│ Exact same versions everywhere │
│ Reproducible builds │
│ No surprise updates │
│ │
│ ─────────────────────────────────────────────────────────── │
│ │
│ RULES: │
│ │
│ 1. ALWAYS COMMIT LOCK FILE │
│ package-lock.json (npm) │
│ yarn.lock (yarn) │
│ composer.lock (PHP) │
│ Gemfile.lock (Ruby) │
│ │
│ 2. USE CI INSTALL COMMANDS │
│ npm ci (not npm install) │
│ yarn --frozen-lockfile │
│ composer install (not update) │
│ │
│ 3. UPDATE INTENTIONALLY │
│ Run npm update when you mean to │
│ Review lock file changes │
│ Don't ignore lock file diffs │
│ │
│ 4. RESOLVE CONFLICTS CAREFULLY │
│ Delete and regenerate if complex │
│ Test after resolving │
│ │
│ GITSCRUM: │
│ Lock file updates should be in dependency tasks │
│ Not hidden in feature work │
└─────────────────────────────────────────────────────────────┘