Hey folks! 👋 I have a question for all the people using React (or ReactNative or any other flavour) in production. How much time do you end up spending baby-sitting the dependencies? Upgrading them, changing code for breaking-changes, etc. Why I ask: I wrote an app on ReactNative a few years ago to learn the framework and since then, I have constantly been pinged by the

Dependabot

on Github that a bunch of my libraries have high severity vulnerabilities - even though I have used only a handful of libraries. (My libraries, in turn, use these which have vulnerabilities). Many of these libraries have breaking changes and if I try to upgrade just the ones it is pointing to, I’ll end up changing a bunch of app-code to work with the new libraries. I was wondering if I am doing something wrong — or if this experience is similar across the board?

I don't know if this is the best way, but I can share how we tried to handle this at the company I was working in: We tend to follow the principle of "if it ain't broke, don't fix it", which includes upgrading dependency as well. But this time we faced the same Dependabot notifications on GitHub, so couldn't ignore them for very long 😂 and had to include this in our list of todos. So what we ended up doing was to look at a minimum of one Dependabot PR on github during each sprint, that way we could slowly start to update the dependencies one at a time. Again, I guess it depends on your priority (for us it wasn't a very high priority and feature development came first). So it's been very gradual. We had very minimal refactoring work to do after updating because our dependencies weren't super-old - so I guess again this could also vary based on your project.

We follow the same principle as @narrow-judge-33018. 70% of the time it will cause issues with react native build. so we update packages only when the update has a feature that we need. For react, it is not a big deal, Most of the time it doesn’t require change in app code.

For React, minor dependencies usually are ok to merge automatically if you have a decent test suite. We do have a list of problematic dependencies which are pinned in package.json & only manually updated.

I try to have a “housekeeping week” every 6 months (for an active application). Mostly dealing with security vulnerabilities, upgrading minor and patch releases from the libraries. For major releases, I mostly tend to upgrade only when required. Doing these tasks daily or weekly is too hectic and slows down the development timeline.

Woah! Thank you so much @narrow-judge-33018, @refined-vr-28621, @ancient-van-29120 and @wonderful-greece-5807 This has been extremely helpful for me. Wanted to gauge if my experience was common across the board for the React eco system and it seems it is. We are currently evaluating FE frameworks at work and wanted to factor in this housekeeping to the comparison chart. Thanks again! Really appreciate you guys sharing your feedback. 🙌

I love dependabot