[dynamite-ready]

This does sound interesting. Regarding the idea of constantly updating dependencies automatically, I've heard of Dependabot, and haven't used it much myself, but isn't there a danger with an automatic update breaking things in production without supervision?

I'd guess I'm missing something in that question?

[toomuchtodo]

Depends on your risk tolerance. At a bare minimum you should have tests as part of your project and CI for detecting breaking changes from version bumps, with validating deploys to dev environments, and possibly human review of changes before deploys to prod.

[jiayo]

Another thing to consider is malicious packages being published. In the Node ecosystem, the last few times this has happened, the community reacts quickly with a speedy (<12h) un-publish, and the whole incident might be over before your development team wakes up in the morning. However, if you immediately and automatically build every single dependency upgrade on your CI systems, you are dramatically increasing your exposure.

It's important to ensure your CI systems do not hold any important credentials, and are decoupled from your deployments. In a setup like this, at best, your source code may be stolen by one of these malicious packages. At worst, it will scrape for goodies such as `AWS_SECRET_ACCESS_KEY`.

[michaelmior]

Yes, an automatic update can break things. Personally, I am happy to have minor version updates be applied automatically if my test suite passes. For anything larger, I at least review the changelog to make sure there aren't any obvious breaking changes and then if the tests pass, I go ahead and deploy.

[olblak]

You need very good tests in place to automatically change something or a lot of trust in your dependencies :P.

It's not the case on most of my project, so I never commit directly to the main branch, instead I commit on a temporary branch then open a PR on GitHub so we just review and merge the changes.