Managing updates safely
Dependabot/Renovate and a patch cadence.
Pinning dependencies creates a tension: pinned versions are reproducible, but frozen versions rot — they accumulate known vulnerabilities as CVEs are disclosed against them. The resolution is not to unpin, but to update deliberately and continuously. Automated update tools (Dependabot, Renovate) watch your locked dependencies, open a pull request when a new version is available, and let your normal review-and-test pipeline vet each bump. You stay pinned and current at the same time.
{"extends": ["config:base"],"packageRules": [{ "matchUpdateTypes": ["patch", "minor"], "automerge": true,"matchCurrentVersion": "!/^0/" }, // auto-merge low-risk patches that pass CI{ "matchUpdateTypes": ["major"], "automerge": false } // majors get human review],"vulnerabilityAlerts": { "labels": ["security"], "automerge": false }}
Separate the security update from the feature update
Treat a security-driven update differently from a routine one. A patch that fixes a known CVE should be fast-tracked — flagged, prioritized, and merged on a short clock, because the window between disclosure and exploitation is measured in days. Routine minor and patch bumps can flow through automatically once CI passes; major version bumps, which carry breaking-change risk, get human review. Encoding these tiers in the update tool means the urgent gets urgency and the routine does not consume attention.
A cadence, not a scramble
The goal is that updating is a steady, boring background process rather than a periodic emergency. Small, frequent, tested updates keep you close to current and make each change low-risk and easy to review; letting dependencies drift for a year turns the eventual update into a massive, scary, breaking migration that gets deferred further — which is exactly how you end up running the version with the famous CVE. A patch cadence is a security control precisely because it keeps you patchable.