I for one think that mindlessly updating to the latest version is a bad idea. Every new dependency version should be thoroughly tested. The

npm

default where it automatically bumps to the latest minor version is a source of many bugs because many library maintainers don't understand semver. When I update a library in Maven I do that for a reason after researching and studying the release notes. One-click action would not really save me any time in that process.

Studying release notes is a good practice, but I also expect libraries to follow SemVer. If I’m bumping minor or patch version, I expect my code to still work. But then it’s good to have the code tested thoroughly so that if library changes something in how my app works, I’ll know that. It’s not like there’ll be there’s a bug in this version if something’s broken

I agree. I am also a strong proponent of "if it ain't broken, don't fix it". Unless I need a new feature or there was a security bug, why exactly should I upgrade?

I tend to try to keep “Moving Fast” libraries up to date, so that I don’t end up having to update from a very old version to a new one because of a security fix. Only for projects I’m actively working on though. I understand it’s potentially useless but you know, bad experiences

I’ve always had the experience that frequent incremental updates are better than occasional massive updates. Much easier migrations/transitions! Also lib updates may fix bugs I didn’t even know I have, esp. security. Yes, frequent updates means faster way to errors but also faster way to fixes. Big lib updates/version jumps can cause big changes in own project can cause lots of bugs too. Smaller incremental changes are easier to comprehend. Just like you commit in smaller increments and not in massive multi-feature+bugfix commits. And even (seemingly SemVer-conforming) revision updates can cause unexpected mayham as Ktor has shown recently.

semver is flawed by design, it's almost impossible to predict what change is still not breaking Windows is a great example where bugs need to be deliberately kept in the system and sometimes even emulated to allow for compatibility with software that relied on those bugs.

Also, ideally there are unit and integration tests in place which should raise issues caused by dependency updates early on.

Lately I've been having lots of difficulties where we're way behind on versions of a lot of dependencies and it makes upgrading a nightmare because some old deps don't play nice with other new deps etc. So I definitely think you should upgrade decently fast and in small increments So I think I rather have some "mindless" small updates to not fall too far behind