Isn't it risky to update your dependencies?
Cliff Brake October 07, 2024 #update #dependencies #riskThis is a common objection I hear when building industrial systems: "We want to lock things down to a super stable/tested LTS (Long Term Support) release and then stay on that release for a long time -- it's risky to update dependencies."
Is it?
How often do you update your browser?
Your phone?
How often does Windows or MacOS force you to update your computer OS?
Do you worry every time it updates?
I've run Arch Linux for years and update routinely without worrying.
I update to new versions of Gitea every time they come without a concern.
I routinely update to the latest HEAD of Zephyr on projects during development and have rarely had a problem.
The same with about every software component I use.
Yes, there are safety-critical control systems that have stringent testing requirements, but we're talking about complex connected systems that are mainly concerned with moving data around.
Where security is a concern.
With rare exceptions, modern OSS projects get more stable with each release, and to a lesser extent with each Git commit.
They have defined the laws of entropy.
How? With OSS workflows, testing, continuous integration (CI), more real-world usage, more user feedback and contributions, etc.
With good CI, changes don't get merged to main until they are tested pretty well.
Transparency, community, and OSS workflows are powerful -- really the only practical way to build complex technology.
The next time you seek the cozy cocoon of an LTS release for a dependency in YOUR Platform, think about what you might be giving up ... features, improvements, community connection, and likely also stability.