Skip to content

Dependency Management

Jesse edited this page Nov 30, 2025 · 3 revisions

Managing dependencies is essential for keeping projects stable, secure, and maintainable.
This page explains how to safely upgrade packages, audit for vulnerabilities, track changes, and prevent breaking updates β€” all without introducing instability into shared repos.


πŸ” Quick Navigation


How to Audit Dependencies

Expand Dependency Audit Methods

Use dependency audit tools to check for vulnerabilities, outdated libraries, or deprecated packages.

Recommended Tools & Commands

Tool Usage
npm audit Detect known security vulnerabilities
npm outdated Lists packages behind latest version
npm-check-updates (ncu) Displays upgrade options interactively
Dependabot Alerts Built into GitHub repositories

Goal: Identify issues early β€” before they affect production.

When to Run Audits

Frequency Why
Weekly Stay ahead of security patches
Before major feature work Prevent compounding conflicts
Before new release Ensure production stability

Keeping Libraries Updated

Expand Upgrade Procedures

Keeping dependencies modern prevents security risk + tech debt.
Updates should be done carefully and incrementally.

Update Workflow

  1. Identify outdated packages
  2. Upgrade one at a time (or a safe related set)
  3. Test locally + run full suite
  4. Document version changes
  5. Fix conflicts before upgrading more

NEVER bulk-upgrade a full project at once

You lose traceability β€” and debugging becomes painful.


Understanding Vulnerability Alerts

Expand Alert Handling & Action Steps

GitHub may warn about:

  • High-risk dependency CVEs
  • Supply chain attacks
  • Outdated or abandoned packages
  • Licence conflict / compliance issues

Response Priorities

Severity Action
Critical Patch or upgrade immediately
High Upgrade within sprint cycle
Medium/Low Schedule for standard update cycle

If a vulnerability cannot be resolved β†’ document why and propose path forward.


Guidelines for Node & Package Upgrades

Rollout Strategy for Safe Upgrades

Follow this upgrade order every time:

  1. Upgrade Node.js first β†’ Latest stable LTS
  2. Update dependencies gradually β€” do not rush
  3. Review major version release notes before upgrading
  4. If something breaks β†’ revert changes and isolate cause
  5. Test incrementally (unit + integration)

Full breakdown + logic pulled from practicum standards below:

  • Always upgrade Node.js first
  • Perform incremental updates
  • Use the official template to track progress
  • Test early + often
  • Document all changes
  • Track compatibility + release notes

Dependency Upgrade Template


This template is not mandatory, but meant to help guide you on your journey of updating packages. A good reference to use if you are unsure of steps to take or what you are looking for. You can download the Google Doc and fill it out locally or just use it as reference, you’re choice.

Click to Expand Template

Package / Dependency Upgrade Template

https://docs.google.com/document/d/1COc9Xr2deF32-Mz9V9qaf0S022Z4OP-AjcDft69G4pU/edit?usp=sharing


Best Practices

General Dependency Management Rules

1. Understanding Version Symbols in package.json

When managing packages, these symbols control how much flexibility npm has when installing versions:

Symbol Meaning Example Installs Use Case
^ Allows minor & patch updates automatically ^4.17.0 β†’ 4.18.x, 4.19.x Default for most development β€” keeps packages modern
~ Allows patch updates only, no minor upgrades ~4.17.0 β†’ 4.17.1, 4.17.2 When you want stability, but still want bugfix releases
(No symbol β€” pinned version) Version is fully locked β€” no updates unless manually changed 4.17.0 stays exactly 4.17.0 Best for debugging, migrations, high-risk upgrades

Interpretation Summary

Stability Flexibility Symbol
Most stable β€” never auto updates Manual upgrades only No symbol / pinned
Safe-ish β€” only patch fixes No new features ~
Most flexible β€” minor + patch auto updates Feature updates included ^

Recommendation

Use ^ during normal development.
Use ~ when risk of breaking changes increases.
Use no symbol when debugging, refactoring, or locking down a production build.


2. Consistency Across Teams

  • All developers must use same Node.js LTS
  • Changelogs must reflect version history
  • PRs should be clear + upgrade-focused

3. Communication

  • Create one PR per upgrade or small group upgrade
  • Include summary, changed packages, test results, and expected impact
  • Reference relevant release notes

Handling Issues & Compatibility

When Updates Break the Build
  1. Run tests immediately after each upgrade
  2. Check peer-dependency compatibility
  3. Revert if unresolved within reasonable timeframe
  4. Document fallbacks + retry later with more data

Updating Change Log

Version Tracking & Release Notes
  1. Document all changes at end of each sprint
  2. Include version jumps, conflicts & resolutions
  3. Use GitHub Release automations when possible
    https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes

Clone this wiki locally