For projects I maintain, I try to keep dependencies up to date on a regular basis. But not all people work like that, some live by the adage of “if it ain’t broken don’t fix it”, but that is not an approach I subscribe to in software development.
A common reason to update software dependencies is to fix security issues or bug fixes that plague the project at hand. My main argument in favour of making more frequent updates is that when you suddenly need to make an update (because of an imminent security threat) it won’t be hard; when dependencies haven’t been updated in a long time it can be hard to to make the update.
There are risks involved in updating dependencies: A new version might introduce breaking changes, things that you rely on suddenly don’t work or exist anymore. It might even introduce new bugs that may not be apparent on the first run. And when your test suite is not on par, verifying if everything works as expected is time consuming. But that can all be addressed. The advantage is that you can easily update dependencies when you take care of that. In the Software Engineering at Google Book (free to read online) something along the same lines is suggested:
The more frequently you change your infrastructure, the easier it becomes to do so. We have found that most of the time, when code is updated as part of something like a compiler upgrade, it becomes less brittle and easier to upgrade in the future. In an ecosystem in which most code has gone through several upgrades, it stops depending on the nuances of the underlying implementation; instead, it depends on the actual abstraction guaranteed by the language or OS. Regardless of what exactly you are upgrading, expect the first upgrade for a codebase to be significantly more expensive than later upgrades, even controlling for other factors.
By improving the tooling, by fixing and adding tests, to what is failing, you make subsequent upgrades easier. And you will be prepared when it is an urgent update, which are more common now than ever.
Enjoyed this? Follow me on Mastodon or add the RSS, euh ATOM feed to your feed reader.
Dit artikel van murblog van Maarten Brouwers (murb) is in licentie gegeven volgens een Creative Commons Naamsvermelding 3.0 Nederland licentie .