Jens Oliver Meiert

Why You Absolutely Need to Have Automated Dependency Management in Place

Published on AugĀ 28, 2025, filed under , (feed). (Share this on Mastodon orĀ Bluesky?)

Together with another panda (yes, thatā€™s how we call ourselves at PandaDocā€”join us!Ā šŸ¼), I recently gave an internal presentation about dependency management: ā€œThe joys of dependency management.ā€

Iā€™d love to hold this talk againā€”but, not now. Yet hereā€™s my personal gist, on why as an individual developer and especially as a team we absolutely have to have dependency management in place. We still find too many projects and repositories in which this is being neglected, and that therefore make maintenance unnecessarily risky and difficult.

What Is Dependency Management?

Dependency management is the automated reviewing and updating of software dependencies (e.g., packages), usually by specialized tooling (e.g., Dependabot, Depfu, Renovate).

Why Automated Dependency Management?

Four reasons, together forming an industry best practice:

  1. To mitigate and avoid security risks
  2. To be able to use the most recent features
  3. To avoid manually updating dependencies (which is multiple times more time-consuming)
  4. To keep the probability of dependency hell(s) as low as possible

Dependency Management First Hurts

For any project for which we havenā€™t managed dependencies before, it will hurt. It will hurt the more, the more dependencies there are and the older the project is.

We need to go through this. It sucks, but facing the pain of upgrading dependencies that may come with breaking changes is much more preferable when planned than doing it during a fire (which doesnā€™t have to be as disastrous as the Log4Shell one, having hit those the hardest who didnā€™t manage their dependencies).

Once we worked through all the updates, it will get a lot easier. Patch and minor version updates are in most cases non-breaking indeed. But even major updates donā€™t necessarily need to be breakingā€”depending on the project, that may in fact be the exception.

The most important point is to regularly and reliably handle dependency updatesā€”so we need to prepare to do so when the update requests (PRs/MRs) come in, for which weekly seems to be a good cadence.

_ Dependency management is absolutely crucial from a security, maintenance, and efficiency point of view. As developers, itā€™s in our own best interest to get dependency management tooling into placeā€”and make disciplined use of it.

About Me

Jens Oliver Meiert, on November 9, 2024.

Iā€™m Jens (long: Jens Oliver Meiert), and Iā€™m a web developer, manager, and author. Iā€™ve been working as a technical lead and engineering manager for companies youā€™ve never heard of and companies you use every day, Iā€™m an occasional contributor to web standards (like HTML, CSS, WCAG), and I write and review books for Oā€™Reilly and Frontend Dogma.

I love trying things, not only in web development and engineering management, but also in other areas like philosophy. Here on meiert.com I share some of my experiences and views. (I value you being critical, interpreting charitably, and giving feedback.)