The discussion around operating system package updates is definitely important.

I’m also curious to hear how teams handle dependency updates in software development projects, things like versions listed in package.json, build.xml, or similar files. How do you decide when to update these kinds of dependencies, and how frequently do you do it?

We use Renovate to keep dependencies up-to-date across npm, Kotlin, Docker and GitHub Actions. It automatically monitors all the dependencies (including in our private repositories) and opens PRs (max 10 at a time) against those repos. This week I added grouping of related dependencies (e.g. all Spring boot dependencies or all ESLint dependencies).

Providing the pipeline is green, any minor, patch or image digest update can be merged automatically (with an approval coming from the renovate approve bot) and major updates need the approval of a developer.