November 29, 2023

Defining a Dependency Management Policy

Steve Pike
CEO, Co-founder

Infield keeps open source dependencies up to date. We do this by combining software and a team of expert developers who will fix breaking changes in order to upgrade your app. We’ve upgraded more than a thousand packages across millions of lines of code. In doing so we’ve come to learn what good (and unfortunately bad) dependency maintenance looks like.

Good dependency management means defining a policy, monitoring for compliance, and prioritizing continuous dependency upgrades as part of your ongoing maintenance cycles. Dependencies need clear owners responsible for their upkeep.

Define your dependency policy as a series of goals. For a typical SaaS web application we recommend:

  1. Core frameworks and programming languages should be kept on their latest version. Aggressive teams will stay on the bleeding edge (running main in production) while more conservative ones will upgrade once the first patch version comes out of a new release.
  2. Other direct dependencies should be upgraded when they become more than two years stale, measured as the lag between the release date of the version in use and the most recently released version (this is
  3. There should be no open CVEs against any of your dependencies.
  4. Do not use any dependencies abandoned by their authors.

Monitoring for compliance means tracking various data sources - a security scanner for CVEs, github repos / mailing lists for abandonment, package registries for new releases, and framework web pages for major announcements. This can be done by technical project managers, but we’ve also seen teams write scripts that automatically send summary emails or create Jira tickets when they find work to be done. 

Finally, good dependency policy means responsibility. Depending on your size, you might have one or two team members generally responsible for dependency upgrades. When multiple teams are responsible for the same app you need a way to track which dependencies are owned by which teams. 

Besides the security and reliability dependency maintenance brings, rewarding this work helps build engineering culture. The best engineers want to work with modern tools.