I’m considering running mix deps.update to get Ecto up to 2.1, but am a little nervous about what it will do to all my dependencies. I have my deps folder in .gitignore too 
1 Like
I usually do an audit of the dependencies in my apps at least once a month, or if I see a release hit hex I just go and update it straight away. I also usually work entirely within umbrella’s, which keeps dependencies lists very small and isolated.
You should definitely update Ecto!.. and any other deps which have updates available.
There’s absolutely no risk. Update the dependency, run your test suite… if anything breaks, fix it. If you would rather not fix things right away, just keep the branch floating around until you do 
Although, with Ecto 2.1, I think the only real thing you’ll have to deal with is some warning messages around cast/4 being deprecated in favor of cast/3 and validate_required/2 which is very easy to fix.
Before
def changeset(struct, params \\ %{}) do
struct
|> cast(params, @required_fields, @optional_fields)
end
After
def changeset(struct, params \\ %{}) do
struct
|> cast(params, @required_fields ++ @optional_fields)
|> validate_required(@required_fields)
end
2 Likes
The Ecto changelog contains detailed information what exactly changed in each release.
mix deps.update foo will only update the package foo and it’s dependencies, so it’s much less scary. You can update one package at a time.
4 Likes
I try to stay up-to-date with my dependencies.
Also, as long as you do not change your constraints, even after updating, you will get the latest version that match your constraints. So if you specified {:ecto, "~2.0.0"}, you won’t even get 2.1.
Also, since hex encourages the use of semver, a change from 2.0 to 2.1 should be API compatible. Any behavioral change should be covered by your tests, and if you can’t fix them, you still can roll back your VCS.
edit
Also there are services as hexfaktor which help you to keep your dependencies up to date.
3 Likes
Thanks for the replies everyone! Very helpful 
1 Like
Do you often run into conflicts between dependencies? I’m getting a lot of these. I imagine this is where I would use mix deps.unlock?
1 Like
mix hex.outdated is useful to know if outdated, by the way.
5 Likes
Mix and Hex are a bit conservative when you run mix deps.update. Unless you pass the --all flag, it requires dependency names to be given and it will update only a subtree. You can also always run something like mix deps.update ecto, see how it will impact your lock file and then reset your changes it if you think it is changing too much.
3 Likes
