Here's my 2 cents coming from experience with Rubygems (and my minimal experience with Node).

You simply cannot auto upgrade dependencies. Period. On an application running in production with development spanning over a couple of months this will break a lot of stuff.

For that to happen, all package developers have to follow semantic versioning and make sure they never break API with minor updates, but that's hard to achieve when you have so many developers.

Updating packages is unfortunately a manual process that you have to go through, you have to pin, upgrade, run tests, rinse and repeat.

I would love a notification when an upgrade is available, whenever a package is released, that'd be good, but still, the upgrade process on my side would be manual.

Heya, you summed up the problem perfectly and we are not trying to be all clever solving this unsolvable riddle.

All Greenkeeper does is send you a Pull Request, which then runs your test. Only when you as the maintainer are satisfied this works, you get to merge the PR.

We have another project https://github.com/semantic-release/semantic-release that you can use to make sure your project leaves semver to computers and keeps humans out of the process, because they tend to screw this up.

With both Greenkeeper and semantic-release, we hope to get npm into shape that we, one day, can do more automated updates and it’s gonna be a long road, but we’ll have to start somewhere.

For now, Greenkeeper takes a lot of the chores out of the process you described to well in your comment.