There's a cost for being out of date, but there's also a cost for learning the hard way whether a new version breaks prod. Pay it down like any other tech debt.
Maybe I could test literally every release version of each of my dependencies, but that isn't really my job.
Greenkeeper (and similar systems) comes to mind, too, in the polyrepo case. You can still CI with "the latest" in the polyrepo case. We have the technology to automate that. Including situations like 'let me know when the next version of my dependency that passes this test is released and send me a PR to update my pinned version when it happens'.
NPM might not be the best package manager, but if you're using something like Lerna you can get the best of both worlds. Your local copy of an internal dependency can either be symlinked to the local source code, or a copy of the published package.
That makes it a lot easier to work on a package and its consumers at the same time.
Oh God! I had forgotten how much frustration was in my old Python team until I checked the docs and discovered that you can make pip "install" your local copy of one repo as the dependency for another. The poor developer who prompted me to check was testing by doing CI builds and pulling down the new eggs.
Of course this isn't really a point against polyrepos, since it had a solution, but it's definitely something that I could imagine catching out lots of juniors.
Someone makes an incompatible change, but you do not find out months later, because the client of that incompatibility is not using the latest versions. In the meantime, the development of the module and its downstreams has marched past any sort of easy resolution, and you essentially are now maintaining two different copies of your code.
Hmm. Monorepos strongly favor "always-good". Core library breakage gets detected and rolled back really fast. It's been months since I've been affected by one.
Known-good is in the eye of the beholder, and is just another dimension that generates breakage.
google3 breaking was a bimonthly event that left the entire team aground. Bad enough that it happened, but the worst part is that we couldn't do anything about it but wait.
