Skip to main content
Keeping dependencies up to date is essential for security, performance, and access to new features. OpenHands can help you identify outdated dependencies, plan upgrades, handle breaking changes, and validate that your application still works after updates.

Overview

OpenHands helps with dependency management by:
  • Analyzing dependencies: Identifying outdated packages and their versions
  • Planning upgrades: Creating upgrade strategies and migration guides
  • Implementing changes: Updating code to handle breaking changes
  • Validating results: Running tests and verifying functionality

Dependency Analysis

Identifying Outdated Dependencies

Start by understanding your current dependency state: 
Analyze the dependencies in this project and create a report:

1. List all direct dependencies with current and latest versions
2. Identify dependencies more than 2 major versions behind
3. Flag any dependencies with known security vulnerabilities
4. Highlight dependencies that are deprecated or unmaintained
5. Prioritize which updates are most important
Example output:
PackageCurrentLatestRiskPriority
lodash4.17.154.17.21Security (CVE)High
react16.8.018.2.0OutdatedMedium
express4.17.14.18.2Minor updateLow
moment2.29.12.29.4DeprecatedMedium
Dependency upgrades are often needed to fix security vulnerabilities in your dependencies. If you’re upgrading dependencies specifically to address security issues, see our Vulnerability Remediation guide for comprehensive guidance on:
  • Automating vulnerability detection and remediation
  • Integrating with security scanners (Snyk, Dependabot, CodeQL)
  • Building automated pipelines for security fixes
  • Using OpenHands agents to create pull requests automatically

Compatibility Checking

Check for compatibility issues before upgrading: 
Check compatibility for upgrading React from 16 to 18:

1. Review our codebase for deprecated React patterns
2. List all components using lifecycle methods
3. Identify usage of string refs or findDOMNode
4. Check third-party library compatibility with React 18
5. Estimate the effort required for migration
Compatibility matrix:
DependencyReact 16React 17React 18Action Needed
react-routerv5 ✓v5 ✓v6 requiredMajor upgrade
styled-componentsv5 ✓v5 ✓v5 ✓None
material-uiv4 ✓v4 ✓v5 requiredMajor upgrade

Automated Upgrades

Version Updates

Perform straightforward version updates: 
Update all patch and minor versions in package.json:

1. Review each update for changelog notes
2. Update package.json with new versions
3. Update package-lock.json
4. Run the test suite
5. List any deprecation warnings

Breaking Change Handling

When major versions introduce breaking changes: 
Upgrade axios from v0.x to v1.x and handle breaking changes:

1. List all breaking changes in axios 1.0 changelog
2. Find all axios usages in our codebase
3. For each breaking change:
   - Show current code
   - Show updated code
   - Explain the change
4. Create a git commit for each logical change
5. Verify all tests pass
Example transformation: 
// Before (axios 0.x)
import axios from 'axios';
axios.defaults.baseURL = 'https://api.example.com';
const response = await axios.get('/users', {
  cancelToken: source.token
});

// After (axios 1.x)
import axios from 'axios';
axios.defaults.baseURL = 'https://api.example.com';
const controller = new AbortController();
const response = await axios.get('/users', {
  signal: controller.signal
});

Code Adaptation

Adapt code to new API patterns: 
Migrate our codebase from moment.js to date-fns:

1. List all moment.js usages in our code
2. Map moment methods to date-fns equivalents
3. Update imports throughout the codebase
4. Handle any edge cases where APIs differ
5. Remove moment.js from dependencies
6. Verify all date handling still works correctly
Migration map:
moment.jsdate-fnsNotes
moment()new Date()Different return type
moment().format('YYYY-MM-DD')format(new Date(), 'yyyy-MM-dd')Different format tokens
moment().add(1, 'days')addDays(new Date(), 1)Function-based API
moment().startOf('month')startOfMonth(new Date())Separate function

Testing and Validation

Automated Test Execution

Run comprehensive tests after upgrades: 
After the dependency upgrades, validate the application:

1. Run the full test suite (unit, integration, e2e)
2. Check test coverage hasn't decreased
3. Run type checking (if applicable)
4. Run linting with new lint rule versions
5. Build the application for production
6. Report any failures with analysis

Integration Testing

Verify integrations still work: 
Test our integrations after upgrading the AWS SDK:

1. Test S3 operations (upload, download, list)
2. Test DynamoDB operations (CRUD)
3. Test Lambda invocations
4. Test SQS send/receive
5. Compare behavior to before the upgrade
6. Note any subtle differences

Regression Detection

Detect regressions from upgrades: 
Check for regressions after upgrading the ORM:

1. Run database operation benchmarks
2. Compare query performance before and after
3. Verify all migrations still work
4. Check for any N+1 queries introduced
5. Validate data integrity in test database
6. Document any behavioral changes

Upgrade Strategies

Conservative Approach

For production-critical applications: 
Create a conservative upgrade plan for our payment service:

1. Only upgrade packages with security vulnerabilities
2. For each upgrade:
   - Create a separate branch
   - Run full test suite
   - Deploy to staging
   - Monitor for 1 week
3. Document rollback procedures
4. Schedule upgrades during low-traffic periods

Progressive Approach

For active development: 
Create a progressive upgrade plan:

1. Weekly: Update patch versions automatically
2. Monthly: Review and apply minor version updates
3. Quarterly: Plan and execute major version upgrades
4. Create automation for tracking new versions
5. Set up alerts for security advisories

Big Bang Approach

For major framework upgrades: 
Plan a big-bang upgrade from Django 2.x to 4.x:

1. Create a comprehensive upgrade branch
2. Address all deprecation warnings first
3. Make all breaking changes
4. Update all related packages
5. Extensive testing phase
6. Feature freeze during migration
7. Coordinated rollout with rollback plan

Best Practices

Effective Upgrade Prompts

Provide context for better upgrades: 
Upgrade our Express.js application from v4 to v5:

Project context:
- Production API with 50+ endpoints
- Uses express-validator, passport, helmet
- Custom middleware for logging and auth
- TypeScript with strict mode

Requirements:
1. Maintain backwards compatibility with clients
2. No downtime during deployment
3. Keep all existing functionality
4. Update TypeScript types

Upgrade Checklist

Before upgrading:
  • Read the changelog and migration guide
  • Check compatibility with other dependencies
  • Review breaking changes
  • Ensure test coverage is adequate
  • Plan rollback strategy
After upgrading:
  • Run full test suite
  • Check for deprecation warnings
  • Verify production build works
  • Test in staging environment
  • Monitor after production deployment

Common Pitfalls

Avoid these upgrade mistakes:
  • Upgrading everything at once: Change one thing at a time
  • Skipping changelogs: Always read what changed
  • Ignoring deprecation warnings: Fix them before they become errors
  • Insufficient testing: Upgrade testing should be thorough
  • No rollback plan: Always be able to revert

Examples

Security-Driven Upgrade

We have a critical security vulnerability in jsonwebtoken.

Current: jsonwebtoken@8.5.1
Required: jsonwebtoken@9.0.0

Perform the upgrade:
1. Check for breaking changes in v9
2. Find all usages of jsonwebtoken in our code
3. Update any deprecated methods
4. Update the package version
5. Verify all JWT operations work
6. Run security tests

Framework Major Upgrade

Upgrade our Next.js application from 12 to 14:

Key areas to address:
1. App Router migration (pages -> app)
2. New metadata API
3. Server Components by default
4. New Image component
5. Route handlers replacing API routes

For each area:
- Show current implementation
- Show new implementation
- Test the changes

Multi-Package Coordinated Upgrade

Upgrade our React ecosystem packages together:

Current:
- react: 17.0.2
- react-dom: 17.0.2
- react-router-dom: 5.3.0
- @testing-library/react: 12.1.2

Target:
- react: 18.2.0
- react-dom: 18.2.0
- react-router-dom: 6.x
- @testing-library/react: 14.x

Create an upgrade plan that handles all these together,
addressing breaking changes in the correct order.