SERG Lunch: The State of Automated Dependency Updating Services

TL;DR See attached Twitter thread

Software developers love package management systems! They provide a simple gateway to import thousands of free third-party libraries into your code. What is not free is the maintenance of third-party libraries: you have to keep up-to-date with news about your libraries (also known as dependencies) such as security fixes and performance bugs. This is challenging as we don’t use one dependency but a small network of them! As a solution, there are several services on Github such as dependabot, renovate, and depfu that automate this tedious task for you. This is great! However, in this talk, I will explain the problems of trusting automated dependency updating services and a solution that can mitigate some of the problems!