In a microservices landscape; When do you update?

This week I’ve been stuggling with the following question:

When is the right time to upgrade?

By upgrading, I mean everything: libraries, tools, Java versions, application servers, MQ servers…

My current project uses a reactive upgrade policy, we upgrade for four reasons:

  1. Something is broken and fixed in a later version
  2. We need or want to use a new feature
  3. Support for a version we’re using is being dropped
  4. The old version we’re using has a known security issue/CVE

The first two reasons are entirely up to the programmers to decide. The third reason is up to the company that gives us support. For the fourth upgrade reason, security, we have some automation in place. We are using the OWASP dependency checker Maven plugin for our libraries.

But:

  • Is a reactive update policy good enough?
  • Are there any pro-active strategies?
  • Do you want to invest in keeping your microservices up-to-date?
  • Do you let your services deteriorate and dispose, replace them in the future with new technologies?

More on this in my (kind-of-weekly) vlog: