Release no later than 6 weeks after any of your dependencies releases a higher version. Time is important, not just how many versions behind, because a dependency tree that is up to date at each point in time is more likely to be internally consistent and compatible. Staying up to date is also important to ensure that security fixes are rolled out promptly.
There are several tools that make upgrading dependencies easier by performing much of the grunt work:
These tools assume that the new versions are compatible with the older versions. In cases where they’re not fully compatible, a dependency upgrade can still require manual attention to rewrite and update affected code. However these tools do remove much of the pain from small updates.
If your library does not have the investment necessary to keep up to date with dependencies, advise consumers to move to a library that is kept more up to date.
Rarely a project will maintain multiple incompatible branches at the same time. For instance, Apache HttpClient 4.x and 5.x are both maintained and supported. They have different Maven artifact IDs and different Java packages. In this case, there’s no need to update to the latest version if you prefer the older one. Either version is equally acceptable, though you do need to stay up-to-date within the branch you pick.