Tracking dependency updates

Many software projects use 3rd party libraries aka “dependencies”. You often want to use the most recent version of these dependencies but how do you know when a new release of a dependency is published? The more dependencies your project have the more tiresome a manual approach to “tracking dependency updates” is.

In this post I explore some solutions that tracks dependency updates for you. I cover broad solutions (libraries.io and dependabot) and Java-only solutions (“artifact listener” and a Gradle/Maven plugin).

Why update?

But why do we want to update dependencies at all?

A new version of a dependency

  • may fix bugs that affects your project
  • may introduce new features that you could use
  • may fix a security issue that affects your project
  • may have other optimizations to the code

Of course there is a risk as well: a new version may introduce a bug that affects your project. Plus, there might be API changes that require changes in your code.

Tracking solutions

Libraries.io

From their own words

Libraries.io can automatically keep track of all of the packages that your repositories depend upon across many different package managers.

Once synced, Libraries.io will email you about new versions of your dependencies, if you add or remove a new dependency it will change the notifications settings for that package as soon as you push to your repositories.

Repositories on Github, Gitlab and Bitbucket are supported. Plus, you can subscribe to dependencies manually, ie without a repository on any of these platforms.

Beside email notifications you can also subscribe to an RSS feed of your dependency updates.

Libraries.io is an open source project.

artifact listener

Artifact Listener is a small service and only available for Java / Maven Central. You can search for libraries and “follow” them. Alternatively you can upload a POM and then choose which dendencies to follow. Updates of libraries you follow are emailed to you.

You can provide additional email adresses to notify, e.g, email addresses of other team members. This is a small but lovely feature for me.

The service is an open source project.

Dependabot

Dependabot checks the “dependency files” (where your dependencies are definied) in your Github repos for updates. If there is an update it creates a PR for it. The PR may contain links, release notes, a list of commits etc.

So this service not only notifies you about an update but even creates a PR that applies it. You just have to merge it (at least if your project is on Github).

Dependabout has been aquired by Github.com and is free of charge.

Gradle plugin

If you are using Gradle (a Java build system) to declare dependencies and build your project you can use the Gradle versions plugin to detect dependency updates and report them. It is easy to use. You just need to execute it on a regular basis.

Maven plugin

Of course, there is a similar plugin for Maven (another Java build system).

Becoming a better programmer

Henry Stanley wrote a blog post “Becoming a dramatically better programmer“. He outlines areas where programmers who want to get better can focus on. That is learning skills directly on the one side and learning meta-skills on the other side. Meta-skills: learn about “deliberate practice” – do things that challenge you and get feedback -, identify common mistakes you make and learn to do deep work – focus on work with no distractions.

My advice for deliberate practice are sites like CodeWars where you can solve exercises (“katas”) in a couple of programming languages. It is challenging (CodeWars has martial art like grades of mastery) and you get feedback by being able to look at solution by other users and thus being able to compare them to your solution.

GOTO Berlin 2017

The last two days I spent at the GOTO Berlin 2017 conference. It’s a conference “by developers for developers”. Three out of four keynote speakers were women (last year four out of four); I have got the impression that inclusivness is an import part of the conference. There seem to be more female attendancees than on other tech conferences.

I enjoyed the conference: the keynotes, the talks, the food and the beverages, the people.

The first keynote on Thursday was held by Anita Sengupta about “The future of Mars exploration“. In the first part, she focused on the Curiosity mission. She developed the parachute that was used during the decent on Mars. Cool. Prof. Sengupta showed us some actual video shootage from the mission. In the second part of her talk she talked about the challenges that a human mission to mars would face, especially radiation.

The evening keynote on Thursday “Number crush” was held by Hannah Fry. She showcased some interesting data from human (and cow) behaviour. It’s hard to summarize her talk in a few sentences. Make sure to check out her website.

Raffaelo D’Andrea held the morning keynote on Friday on autonomous drones. He was part of Kiva Systems, a company that build robots that brings stuff in a warehouse to human packers. It got aquired by Amazon that uses this technology in its warehouses. It’s astonishing to see all these robots moving around bringing stuff from A to B. The main theme was the autonomous drones D’Andrea developed in a company called Verity studios. They are used on broadway, in Metallica concerts. A key concern for him are safeness (no drone is going to crash) and reliability. Very impressive!!!

Susan Landau held the evening keynote on Friday on “Cybersecurity in an Insecure Age“. She talked about end-to-end encryption and locked phones. A thing that was new to me is “tainted leaks” where documents from “a target” are stolen, messed with and then “leaked” in order to discredit the target and generally generate mistrust.

Attendance Joy Clark did some cool sketch note of the key notes and some talks.

I especially enjoyed the talks by Dan North (“How to break the rules” and “Agile revisited“) Gregor Hohpe (“Adopting DevOps? You are Aiming at the Wrong Target!” and “Enterprise Architecture = Architecting the Enterprise?“), Steve Smith (“Measuring Continuous Delivery“) and Adam Tornhill (“A Crystal Ball to Prioritize Technical Debt“).