Keeping your dependencies current is crucial for the security, health and maintainability of your code base, yet it's so often pushed aside for more visible work. But there is also no value in being on all the latest versions, you just want your dependencies to stay current. It's called bleeding edge for a reason.
Depfu's new reasonably up-to-date feature "matures" releases before sending you pull requests, while making sure you're never more than 1 month behind.
How does it work?
When a new release comes in, we take a look at how often this particular library released in the past and calculate a release frequency. We're trying to predict how likely it is there will be another release within the next few weeks.
Based on the release frequency we wait several days to a whole month before we send you a PR for this version, basically "maturing" this version like a wine. During this time two things can happen
- A new version gets released: In this case we supersede the previous version and apply the same maturing algorithm to the new version.
- No new version gets released: If we waited the designated time and there was no new version, we finally send you the PR.
If the new version always get superseded (for example some libraries release daily), we make sure to send you a PR at least every month, incorporating all version released the past month up to the newest version.
This way we ensure all your dependencies are within 1 month of the latest version, allowing you to bundle up releases, which especially for libraries releasing very often reduces the number of PRs you get significantly.
For libraries that release very rarely you still get the same amount of PRs, just a little later than the version was released. This also avoids sending you PRs for the common pattern of quick bugfix releases after a major new version, making sure you get the most stable version.
Security releases will get send to you as soon as possible, skipping the reasonably up-to-date strategy.