Hey everyone! I'm relatively new to full stack development and I'm trying to figure out the best way to manage dependencies at my SaaS startup. Right now, I have Dependabot set up and merge updates every couple of weeks, but I can't shake the feeling that there's a better way to do this. I'd love to get your thoughts on a few things: 1. How do startups usually deal with dependency updates and the associated security risks? Is it better to patch as updates come in or batch them on a regular schedule? 2. What about larger companies? Do they have special teams or processes to handle this? I'm curious what a smaller company can realistically do. 3. When a dependency has a security vulnerability but updating it breaks other packages relying on the old version, what are the best practices? Should I pin the old version and accept the risk, fork it, or is there another approach? I feel stuck between over-updating (which often leads to breakage) and under-updating (which leaves security gaps). Thanks for any insights!
1 Answer
At my startup, dependency management is a part of our weekly routine. In bigger companies, the Site Reliability Engineering (SRE) team typically ensures version correctness at the platform level while the software development team focuses on business logic. This way, both aspects are covered!
Thanks for the info!