How we keep our dependencies up to date
Web stacks are getting more and more complex and come with lots of dependencies. At Getsafe, we have eight Ruby on Rails apps running, and each of these apps has at least 50 direct or indirect Rubygems it depends on, in some cases twice as many. Some apps depend on quite a few Node.js packages as well. In addition, Getsafe has 15+ gems we publish ourselves (some private, some public) that we also need to keep dependencies updated for.
On average, every day there is at least one update to one of the libraries our apps depend on, most of the time at least some of our apps depend on the updated library. Sometimes, these updates contain security fixes and need to get applied as soon as possible to keep our infrastructure safe and protect the data of our customers.
When we started building our Getsafe platform, in the very beginning we had three Ruby on Rails apps and three backend developers. At the time, we were taking care of updating dependencies manually simply by running “bundle update” on an almost daily basis. In case there were updates, the developer opened a pull request and tested the updates. Sometimes, there were many updates at once. Sometimes, we weren’t able to update a specific gem until we had time to make the necessary adjustments. Sometimes, we also forgot to check for updates. Often we were too busy building features for our platform and after a couple of days there were dozens of gems to be updated and tested. Sometimes, updates broke something and we needed to find out which gem exactly was causing it.
One day I was reading a blog post from Depfu. Out of curiosity, I checked what “Depfu” actually is and was really excited: a software-as-a-service that automates upgrading dependencies, opening up pull requests, even putting in a nice description, and often even a changelog. One pull request for each dependency upgrade. Every upgrade can be tested in isolation and is tested in CI. A solution that doesn’t depend on someone thinking about upgrades. I integrated it into our workflow pretty quickly and we never looked back.
We always like to stay up to date. Sometimes we upgrade to the latest Ruby version the day after it was released. Being able to use the latest and greatest features in gems and from the Ruby language was always a driver for developer happiness for us. Since we have automated this, somebody just has to go through the newly created pull requests in the morning, review the changes, check if the tests pass, and merge them. Not only for public dependencies but also for our private gems, we can now be sure updates are distributed to all apps automatically. Depfu even creates PRs for Ruby runtime upgrades. This makes the whole process a lot easier for us and upgrading is (almost always) done in seconds.
Having this automated we can spend more time developing features for our customers while feeling confident that our dependencies are always up-to-date and we never miss security patches.
If you like to work with the latest Ruby features and want to spend your time writing software that has an impact and makes the lives of our customers better, come work with us at Getsafe. We are building the future of insurance together.
