[toomuchtodo]

Depends on your risk tolerance. At a bare minimum you should have tests as part of your project and CI for detecting breaking changes from version bumps, with validating deploys to dev environments, and possibly human review of changes before deploys to prod.

[jiayo]

Another thing to consider is malicious packages being published. In the Node ecosystem, the last few times this has happened, the community reacts quickly with a speedy (<12h) un-publish, and the whole incident might be over before your development team wakes up in the morning. However, if you immediately and automatically build every single dependency upgrade on your CI systems, you are dramatically increasing your exposure.

It's important to ensure your CI systems do not hold any important credentials, and are decoupled from your deployments. In a setup like this, at best, your source code may be stolen by one of these malicious packages. At worst, it will scrape for goodies such as `AWS_SECRET_ACCESS_KEY`.