Infield keeps open source dependencies up to date. We do this by combining software and a team of expert developers who will fix breaking changes in order to upgrade your app. We’ve upgraded more than a thousand packages across millions of lines of code. In doing so we’ve come to learn what good (and unfortunately bad) dependency maintenance looks like.
Good dependency management means defining a policy, monitoring for compliance, and prioritizing continuous dependency upgrades as part of your ongoing maintenance cycles. Dependencies need clear owners responsible for their upkeep.
Define your dependency policy as a series of goals. For a typical SaaS web application we recommend:
Monitoring for compliance means tracking various data sources - a security scanner for CVEs, github repos / mailing lists for abandonment, package registries for new releases, and framework web pages for major announcements. This can be done by technical project managers, but we’ve also seen teams write scripts that automatically send summary emails or create Jira tickets when they find work to be done.
Finally, good dependency policy means responsibility. Depending on your size, you might have one or two team members generally responsible for dependency upgrades. When multiple teams are responsible for the same app you need a way to track which dependencies are owned by which teams.
Besides the security and reliability dependency maintenance brings, rewarding this work helps build engineering culture. The best engineers want to work with modern tools.
