The universe is out to get you (and how to fight back)

I recently had a highly productive day.

I built a lot of things for a client.  It was one of those days where you feel accomplished - holy cow - this was a very good day.

At the end of the day, I noticed that dependabot was turned off.

That’s the little Github thing that will update your libraries when they need security patches.

So I turned dependabot on.  It was a couple of checkboxes and a small PR to set the schedule and specify “npm” as the ecosystem.

Then it struck me.  

This was probably the most consequential thing I did for this project that day, maybe even for the whole month.

Nah - you say. That’s ridiculous. 

Sure dependabot is a good thing, but is it really the most consequential thing you could do?

Yes! 

Having your libraries periodically brought up to speed, from now till the end of time, was probably adding more value than whatever features or other code I wrote that day.  

Features will be used, sure, but the one gift that will keep giving is dependabot.

It sits there and hums along, shoving everything forward.  

Let your libraries atrophy - very bad things happen.

• CVEs.  Do I need to say more here?
• Then, before you know it, something breaks, and you have to upgrade all 100 of your dependencies at once. That never ends well.
• Sometimes, you find out that this service you had not deployed in a few months does not deploy anymore.  As luck would have it, you usually find this out during an outage.
• If you’re lucky and try to catch up with the backlog, you try to upgrade one or two at a time:  Oh crap - that one has breaking changes, but to pull it in, we also have to pull in this one, which also has breaking changes, and so on.  Ouch, back to a big bang upgrade.
• Then there is that one with a minor version bump but had breaking changes.  Not cool.

Doing a few every day gives you much better outcomes.

• If you break something, it’s straightforward to pinpoint it and roll it back.
• You can explicitly choose how aggressively you want to be with upgrades.
• You can be using the newest and best features at all times

OK, I’m not telling you this whole story so you can turn “dependabot” on… 

You should totally do that, but there is a larger message.

The universe is out to get you, and entropy is your enemy.  Things decay and change, and you must keep up with the world.  

Entropy will keep increasing on you. You have to construct the systems to hold everything together.  

Dependabot is one example where you can mostly automate something that will maintain your sanity over time. 

Seek those systems, processes, and tools and leverage them wherever you can.

P.S. If you need help with this, let me know, and let’s chat on how I may be able to help you.