Why You Absolutely Need to Have Automated Dependency Management in Place
Published on AugĀ 28, 2025, filed under development, maintainability (feed). (Share this on Mastodon orĀ Bluesky?)
Together with another panda (yes, thatās how we call ourselves at PandaDocājoin us!Ā š¼), I recently gave an internal presentation about dependency management: āThe joys of dependency management.ā
Iād love to hold this talk againābut, not now. Yet hereās my personal gist, on why as an individual developer and especially as a team we absolutely have to have dependency management in place. We still find too many projects and repositories in which this is being neglected, and that therefore make maintenance unnecessarily risky and difficult.
What Is Dependency Management?
Dependency management is the automated reviewing and updating of software dependencies (e.g., packages), usually by specialized tooling (e.g., Dependabot, Depfu, Renovate).
Why Automated Dependency Management?
Four reasons, together forming an industry best practice:
- To mitigate and avoid security risks
- To be able to use the most recent features
- To avoid manually updating dependencies (which is multiple times more time-consuming)
- To keep the probability of dependency hell(s) as low as possible
Dependency Management First Hurts
For any project for which we havenāt managed dependencies before, it will hurt. It will hurt the more, the more dependencies there are and the older the project is.
We need to go through this. It sucks, but facing the pain of upgrading dependencies that may come with breaking changes is much more preferable when planned than doing it during a fire (which doesnāt have to be as disastrous as the Log4Shell one, having hit those the hardest who didnāt manage their dependencies).
Once we worked through all the updates, it will get a lot easier. Patch and minor version updates are in most cases non-breaking indeed. But even major updates donāt necessarily need to be breakingādepending on the project, that may in fact be the exception.
The most important point is to regularly and reliably handle dependency updatesāso we need to prepare to do so when the update requests (PRs/MRs) come in, for which weekly seems to be a good cadence.
_ Dependency management is absolutely crucial from a security, maintenance, and efficiency point of view. As developers, itās in our own best interest to get dependency management tooling into placeāand make disciplined use of it.
About Me
Iām Jens (long: Jens Oliver Meiert), and Iām a web developer, manager, and author. Iāve been working as a technical lead and engineering manager for companies youāve never heard of and companies you use every day, Iām an occasional contributor to web standards (like HTML, CSS, WCAG), and I write and review books for OāReilly and Frontend Dogma.
I love trying things, not only in web development and engineering management, but also in other areas like philosophy. Here on meiert.com I share some of my experiences and views. (I value you being critical, interpreting charitably, and giving feedback.)