Why keep project dependencies current?

Question

I've seen https://david-dm.org/ tags on github repos, and I noticed some of my projects have really out of date dependencies, but technically my code is fine without updating. What are some solid reasons for keeping your dependencies current?

Answer 1

Using old dependencies is usually fine (except of course for security flaws).

The big problem is that if you should ever require a feature from a newer version you will have to update. At that point it can be very tedious to update especially if the changes between the versions are substantial.

Also you might have other dependencies that depend on the dependency you have updated and will need to update them as well.

It's usually easier to keep the project up to date (unit tests help a lot). So in my opinion you need to consider if you want to add new features.

Answer 2

The fact that your code is (still) running and working as expected doesn't mean that security flaws discovered after your deployment don't affect your system.

You could ask the same thing about any update to your operating system - "It still works, so why should I install the latest updates?".

You need to update your software in order to stay in the loop with regard to bug fixes/security issues related to the software versions you are using (and depending on).

---

For some recent (serious) examples, take a look at these:

• Heartbleed
• Shellshock

These bugs wouldn't affect the functionality of your system - but you would still be vulnerable to attacks.

If you need only one "solid reason" I would go for patching security flaws.

Answer 3

In cases for like an ORM for instance there could be the possibility that there is a bug that could lead to using malicious data to attack your database system. So security could be a reason.

It really depends on the dependency. Performance could be another reason.