manage dependencies on some regular basis

Per Zak: Identifying updates is part of the job of #stripes-arch, and that the job(s) of performing those updates can largely be handled by individual teams.

The work would be:

• updating things not expected to cause issues (eg. not updates to major versions)

• verifying it didn't break anything (currently difficult due to distributed nature of per-app tests and unreliability/fiddliness of nightmare integration test)

• publishing appropriate commits to affected packages

• doing triage on remaining incompatible updates so we can better prioritise

  • how much work will it take to make use of the new version?

  • what other implications are there (ex. will it entail major upgrades to related packages?)

  • are there outstanding vulnerabilities that necessitate migration sooner rather than later?

  • do we gain new functionality?

Additionally, we'll want to stay abreast of major security issues related to software we use. These require some research to gauge as what is a critical vulnerability in some scenarios may not actually present an issue for our use case eg. XSS in a devdependency used only in our testing environment with test data we provide.

@Zak Burke, what work is related to managing dependencies?