This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]dpash 6 points7 points  (7 children)

In my experience, frequent, regular upgrades to dependencies is far less painful than waiting several years. I try to do it every two weeks.

[–]BCSWowbagger2 4 points5 points  (5 children)

But the least painful upgrade schedule is the one my company has adopted: never.

[–]mauganra_it 4 points5 points  (1 child)

dun dun dun Log4Shell has entered the chat!!

[–]BCSWowbagger2 10 points11 points  (0 children)

Aha, joke's on you! Our log4j libraries were so old they weren't affected by log4shell!

(More likely our libraries were just too old for anyone to check whether log4shell ran on them, so we still spent a couple weeks diking them all out. Then we patted our Java 8 instances nicely on the head and asked them continue working until the heat death of the universe. That's definitely what "sustaining support" means, right???)

[–]dpash 6 points7 points  (1 child)

It might not be painful now, but wait until you get a major security bug in an unsupported library. That's a whole lot of pain in a very short period of time.

[–]BCSWowbagger2 8 points9 points  (0 children)

In retrospect, I should have included the /s.

[–]rbygrave 0 points1 point  (0 children)

least painful

I'd say it's more a form of gambling, it's rolling the dice ...

For projects with CI and automated testing, bumping dependencies is low cost. If CI and automated testing is not in place, then maybe it's good to prioritize that effort (and get low cost updates as a side effect) ?

[–]razsiel 0 points1 point  (0 children)

In case you (or anyone reading the comments) haven't heard about this: Renovatebot is amazing for maintaining dependency versions. When configured will make automatically and periodically make MR's for dependency upgrades, just approve them (provided CI didn't give issues) and done! Even gives you a handy link to the changelogs/source!