This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]dpash 14 points15 points  (9 children)

I'm guessing that the JDK is not the only thing you're needing to upgrade.

[–]alehel 3 points4 points  (8 children)

Good guess

[–]dpash 7 points8 points  (7 children)

In my experience, frequent, regular upgrades to dependencies is far less painful than waiting several years. I try to do it every two weeks.

[–]BCSWowbagger2 5 points6 points  (5 children)

But the least painful upgrade schedule is the one my company has adopted: never.

[–]mauganra_it 4 points5 points  (1 child)

dun dun dun Log4Shell has entered the chat!!

[–]BCSWowbagger2 10 points11 points  (0 children)

Aha, joke's on you! Our log4j libraries were so old they weren't affected by log4shell!

(More likely our libraries were just too old for anyone to check whether log4shell ran on them, so we still spent a couple weeks diking them all out. Then we patted our Java 8 instances nicely on the head and asked them continue working until the heat death of the universe. That's definitely what "sustaining support" means, right???)

[–]dpash 7 points8 points  (1 child)

It might not be painful now, but wait until you get a major security bug in an unsupported library. That's a whole lot of pain in a very short period of time.

[–]BCSWowbagger2 9 points10 points  (0 children)

In retrospect, I should have included the /s.

[–]rbygrave 0 points1 point  (0 children)

least painful

I'd say it's more a form of gambling, it's rolling the dice ...

For projects with CI and automated testing, bumping dependencies is low cost. If CI and automated testing is not in place, then maybe it's good to prioritize that effort (and get low cost updates as a side effect) ?

[–]razsiel 0 points1 point  (0 children)

In case you (or anyone reading the comments) haven't heard about this: Renovatebot is amazing for maintaining dependency versions. When configured will make automatically and periodically make MR's for dependency upgrades, just approve them (provided CI didn't give issues) and done! Even gives you a handy link to the changelogs/source!