Why and when to Update Software API & Library

We do develop many apps, libraries...etc., every day. To help corporations, governments, individuals, communities, and many more to take advantage of what software can offer them. There is a wide variety of advantages and opportunities software gives us. The complexity of building software is increasing day by day and new challenges are adding up every day. I want to discuss one of the challenges or complexity every programmer would have faced, which is updating or upgrading an API or a third-party library every now and then. Example: I just finished the java 6 to java 8 upgrade in my product now I see java 17 out, what should I do?

Let's understand what updating or upgrading software means, over a period of time there are a lot of versions of software developed depending on the use case and new requirements. And every piece of software we develop today is predominantly using a set of other APIs or libraries and adding your logic on top of it. So you are dependent on other third-party APIs or Libraries in your software and it's working fine, what's the problem now ?? There are no problems as such but there may be or may not be a problem in the future. Let's discuss the probable problems which may occur.

• The third-party software you are using has a security bug

You might have used a third-party library in your software, and there was a bug that you were not aware of at that time, And later you discovered it.

Example: Recently everyone would have heard log4j vulnerability. log4j is an excellent logging library that was widely used and all of a sudden a big vulnerability was identified.

There were many databases, middleware, and other products developed using log4j. Since these products had used log4j in their product, Now the products are also vulnerable.

• The third-party software you used does not support the features you need in some scenarios.
• You found a bug and third-party software but has no support or delayed response.
• Frequent new versions released of a third-party library constant upgrade needed.

Example: I just finished my java 6 to java 8 upgrade now I see java 17 out, what should I do?

How do you handle these situations? Below are a few things I have found.

1. Don't rush and use any third-party software, always think about why you need that library, options available, and check if that library solves all your problems, use cases for next few years at least.
2. Check the security checks conducted on that library thoroughly.
3. If it's an open-source product, instead of using the binaries directly you never know what's inside packaged binaries. Download source code builds it yourself to generate the binaries.
4. Always check the support(Community support or Enterprise support in case of licensed) for the library and the validity and SLAs for the library-related issues.
5. Try to make a timeline to frequently upgrade/update the libraries upfront, don't wait till you are hit with issues, Try to upgrade in a timely manner.
6. You always don't need to be in the latest versions. Better to be in the stable versions which are tested verified and widely used.
7. Keep a track of the third-party software used in your software products and their versions and validate them frequently.
8. Always have a plan for immediate upgrade/patch of the library when you first plan to use any third-party library, This will help when a vulnerability is identified to patch immediately since you have a plan and path to be followed defined already for such disaster situations.
9. In your product whenever you have a library upgrade planned. Avoid mixing that with functional changes also. Have releases specific to library upgrade only without functional or other changes, this will help to easily roll back in case of issues.
10. Whenever you are developing a library for others to use, in new versions which you release try to have backward compatibility. And define the duration of support for each version, So that others using your libraries may upfront plan accordingly.