Hello,

I'd like to know if it is necessary to keep all the installed vendor packages up to date.

I always have installed the latest version of Magento CE (at the moment it's 2.2.3).

I run the following command to get a list of all packages which have a newer version available:

composer outdated

This list is pretty long in my case, and it contains stuff like that:

PACKAGE                    VERSION        UPDATE   DESCRIPTION
pdepend/pdepend             2.2.2    ->   2.5.2    Official ve
pelago/emogrifier           V1.2.0   ->   v2.0.0   Converts CS
phpmd/phpmd                 2.5.0    ->   2.6.0    PHPMD is a
phpunit/php-code-coverage   2.2.4    ->   5.3.0    Library tha
phpunit/php-file-iterator   1.3.4    ->   1.4.5    FilterItera
phpunit/php-token-stream    1.4.12   ->   2.0.2    Wrapper aro
phpunit/phpunit             4.1.0    ->   6.5.7    The PHP Uni

As you can see, some versions are quite behind (e.g. phpunit). I have never explicitely installed these packages, they were just there, probably installed during magento 2 installation more than a year ago.

Now my questions are:

1) Will magento 2 upgrade take care of these when upgrading versions if necessary, and is it ok if packages are not up to date?

2) Or do I have to make sure that alle these packages are up to date?

3) Or should I just leave it as it is, because magento can't handle the newer version yet (never change a running system)?

I am just wondering, if this will lead to performance or security issues.

Thank you for your feedback!