[esafak]

GitHub is looking to add this feature to dependabot: https://github.com/dependabot/dependabot-core/issues/3651

[TZubiri]

Being so deep into dependencies that you have to find more dependencies and features to make your dependency less of a clusterfuck is sad.

[esafak]

Are you referring to dependabot? You are free to update your dependencies manually.

[h1fra]

In theory, that works in practice nope. You get a random update with a possible bug inside that is only fixed by a new version that you won't get until later. The other strategy is to wait for a package to be fully stable (no update), and in that case, some packages that receive daily/weekly updates are never updated

[esafak]

It does help, because major version updates are more likely to cause breakage than minor ones, so you benefit if you wait for a few minor version updates. That is not to say minor versions can't introduce bugs.

Windows is a well-known example; people used to wait for a service pack or two before upgrading.

[ajmurmann]

We could even wait for a patch version or the minor being out a certain amount of time. For a major I'd wait even longer and potentially for a second patch.

[Cthulhu_]

And then they went towards a more evergreen update strategy, causing some major outages when some releases caused issues.

I mean evergreen releases make sense imo, as the overhead of maintaining older versions for a long time is huge, but you need to have canary releases, monitoring, and gradual rollout plans; for something like Windows, this should be done with a lot of care. Even a 1% release rate will affect hundreds of thousands if not millions of systems.