How do you decide when to update the library in your project?

I am working on a project that uses several open source Java libraries. When these libraries are updated, we tend to follow a conservative strategy:

  • if it does not break, do not correct it
  • If it does not have new features, we do not want to ignore it.

We follow this strategy because we usually do not have time to add a new library and thoroughly test the general application. (Like many software development teams, we always fall behind the features we promised a few months ago.)

But sometimes I wonder if this strategy is reasonable, given that some performance improvements and a large number of bug fixes usually come with updating libraries. (i.e., "Who knows, maybe everything will work better than we do not foresee ...")

What criteria do you use when making these decisions in your project?

+6
java versioning
source share
7 answers

I have learned enough lessons to do the following:

  • Check the list of changes in the library. What do they fix? I do not care? If there is no change list, the library will not be used in my project.
  • What do people post on the forum in the library? Is there a rash of messages starting shortly after release, indicating obvious problems?
  • In the same spirit as number 2, do not update immediately. ALL has a bad version. I'm not going to be the first to correct this little mistake. (there is more). This does not mean that you will also wait 6 months. During the first month of release, you should know the flaws.
  • When I decide to continue updating; test, test test. Here, automatic testing is extremely important.

EDIT: I wanted to add another element that is at least as important and possibly more than others.

  • What changes have been made to this release? In other words, is the library going in a different direction? If the library is outdated or replaces functionality, you will want to stay on it.
+7
source share

Important: Avoid Technical Debt .

“If it does not break, do not update” - this is a crazy policy that leads to a software violation that no one can fix.

Rash, unverified change is a bad idea, but not as bad as accumulating technical debt, because in the short term it looks cheaper.

Get the “nightly build” process so you can constantly test all the changes — yours, as well as the packages you depend on.

Until you have a continuous integration process, you can make large quarterly releases that include infrastructure updates.

Avoid technical debt.

+8
source share

One approach is to bring open source libraries that you use under your own control of the source code. Then periodically merge upstream changes into your next release branch or, if it’s a security patch, and run automated tests.

In other words, use the same criteria to decide whether to use upstream changes, as well as for the release cycles of the code you write in the house. Think open source developers will be part of your virtual development team. In any case, this is true, it is simply a question of whether you decide to recognize this as part of your development methods.

+2
source share

While you do not want to update just because there is a new version, there is another consideration, which is the presence of the old version. I ran into this problem while trying to build open source projects.

+2
source share

I usually assume that ignoring the new version of the library (coz 'has no interesting features or improvements) is a mistake, because one day you will find out that this version is necessary to upgrade to the next version, which you might want to upgrade to .

So, my advice is to carefully study what has changed in the new version, and think about whether the changes require a lot of testing or little.

If you need a lot of testing, it is better to switch to a new library in the next version (main version) of your software (for example, when switching from v8.0 to v8.5). When this happens, I assume that there are other important modifications, so a lot of tests are done.

+2
source share

I prefer the versions to not lag too far from the dependent libraries. Up to a year is suitable for most libraries if security or performance issues are not known. Libraries with known security issues are required to be updated.

I periodically download the latest version of each library and run tests of my applications using them. If they pass, I use them in our development and integration environment for a while and click on QA when I am satisfied that they are not sucking.

The above procedure assumes that the API has not changed significantly. All bids are disabled if I need to reorganize an existing code to use a newer version of the library. (e.g. Axis 1x versus 2x). Then I will need to take part in the management in order to decide on the allocation of resources. Such a change will usually be different until a serious overhaul of the legacy code is planned.

+2
source share

Some important questions:

  • How widely used is the library? (If it is widely used, errors will be found and resolved faster).
  • How actively is it developing?
  • Is the documentation very clear?
  • Have there been significant changes, minor or just internal changes?
  • Does the update have a backward compatibility gap? (Do you have to change any of your code?)

If the update does not look bad in accordance with the above criteria, it is better to go with it, and if you encounter any problems, return to the old version.

+1
source share

All Articles