Tackling the Challenge of Keeping Dependencies Up-to-date

January 13, 2023

In the world of software development we commonly write code that is dependent on someone else's code. For me that's 2 frameworks (Laravel and Vue) which I use as the default when starting new projects. With Laravel 10's release approaching next month, I want to be prepared to upgrade my projects.

Frustration when dealing with outdated code

As a developer it can be disheartening when I find out that a codebase that I need to contribute to is using dependencies that are no longer officially supported. This may mean that a newer version of the package has been out for 2 or more years. This introduces problems such as having to refer to an older version of documentation when I get stuck and understanding what features were not available back then. Once I become accustomed to writing code using the newest version having to use the older version can really slow me down.

Because an application can continue to work years after the dependencies have lost support, the advantages to upgrading are not so obvious to anyone who isn't a developer. Users probably don't care what version you're using as long as they can still use your app.

Upgrading is a process. To do it takes time and commitment. If there is no system in place for making minor updates, then it's easy to forget about them entirely. Upgrades to major versions can be very involved and it can be difficult to know how long those changes will take. For these reasons, I understand why a company would continue to use an older version. However, for my own projects I want to raise the bar and that's why I've adopted my own standards.

Adopting Standards

Coming up with standards is just the start - the standards don't do anything until I apply them. Part of the process is figuring out how to not only achieve compliance initially, but how to maintain it.

For starters, I've made it the standard that all my projects be upgraded to the latest major version of both Laravel and Vue within 3 months of their release.

When keeping dependencies up-to-date part of the challenge is knowing when those dependencies are no longer the latest version. Some kind of script that scans my projects and reports back to me which packages need upgrades would be helpful. I have to do this not just for the major version, but the minor version and patch version. I have to upgrade the minor version within 1 month of the release and the patch version within 1 week of the release. The goal is to apply minor and patch upgrades automatically as they should not involve any breaking changes.

Another challenge is detecting when an upgrade causes a breaking change. Whether the upgrade is manual or automatic, I need a way to detect when something breaks. Because of this I've made automated tests part of my standards. Automated tests will help when upgrading the major version as I expect this to cause the most breaking changes.

Conclusion

I know dependency management is not a new problem so I will be looking for ways that other developers and companies handle this. I think that with the proper mindset and tools, keeping projects up-to-date should be attainable even for the smallest teams and sole-developers.

In summary the three systems I think I need to accomplish this are:

  1. Dependency tracker to let me know what dependencies need to be upgraded
  2. Dependency upgrader to perform automatic upgrades according to a weekly or monthly schedule
  3. Automated tests that are run whenever upgrades are made to confirm that core features are still working

The process will be interative. If I have to lower the bar slightly that's fine, I just want standards that are attainable. Once I understand what's possible with my own projects I will be better equipped to advise others.