Let’s face it, sometimes the amount of pull requests you get with Depfu, or automated dependency updates in general, can get a bit overwhelming and annoying. Especially on projects with a large amount of dependencies and especially in the JS ecosystem (which moves quite fast).

There are a few patterns we’ve seen happening over and over again:

  • Stabilization releases: A new version (often a major release) is followed by at least one, sometimes several bugfix releases within hours as people discover critical bugs with the new version. These cause a lot of churn and noise in your PRs and notifications.
  • High frequency packages: Some libraries just release new versions very often. There are libraries like the AWS SDKs that auto-release daily, and there are libraries that release several new versions within a month regularly.

It’s called bleeding edge for a reason

Depfu now supports a new update strategy called “reasonably up-to-date”. There is a lot of value in having your dependencies up-to-date, but there is very little value in being on all the latest versions, you just want your dependencies to stay current. It’s called bleeding edge for a reason.

Depfu’s new reasonably up-to-date feature “matures” releases before sending you pull requests, while making sure you’re never more than 1 month behind.

How does it work?

When a new release comes in, we take a look at how often this particular library released new versions in the past and calculate a release frequency. We’re trying to predict how likely it is there will be another release within the next few weeks.

Based on the release frequency we wait several days to a whole month before we send you a PR for this version, basically “maturing” this version like a cheese or wine. During this time two things can happen:

  • A new version gets released: In this case we supersede the previous version and apply the same maturing algorithm to the new version.
  • No new version gets released: If we waited the designated time and there was no new version, we finally send you the PR.

If the new version always get superseded (for example some libraries release daily), we make sure to send you a PR at least every month, incorporating all versions released the past month up to the newest version. This way we ensure all your dependencies are on a version that is never older than 1 month.

Security releases will get send to you as soon as possible, skipping the reasonably up-to-date strategy.

For libraries releasing very often this reduces the number of PRs you get significantly. For libraries that release very rarely you still get the same amount of PRs, just a little later than when the version was released.

We have data

We’ve been testing this for several weeks now with a few customers and have seen reductions up to 50% in the amount of pull requests, sometimes more, sometimes less:

And Christian, one of the beta testers had this to say:

The “maturing” feature on Depfu really works well. The number of updates are easier to cope with now and we are still very much up to date. The most frustrating before were those patch PRs where you got one each day as they were fixing various bugs. That was a bit annoying.

Try it out

You can enable this new strategy in the settings for your repo, by default it’s disabled.

We would love for you to give it a try and help us make it even better. Any issues or feedback around this, please let us know on Twitter or via email.