Frank Carver wrote:And following on from Campbell's question, what about the continual pressure to "upgrade" to a different library, framework, or even programming language?
I suspect our team is somewhat unusual but we run a regularly-scheduled job to check for outdated dependencies and we generally update everything as a matter of course (after carefully checking the release notes!). We have a few libraries that are "old" -- where there's a breaking change across versions and we haven't scheduled the time to adapt to that -- but in general, we keep everything on the latest versions as much as we can.
The upside to this is that library updates are generally "easy" because we're only updating a few at a time and they're nearly all patch-level changes. It also means we often avoid CVEs that get discovered in older versions of libraries.
Of course, every now and then, a patch-level update contains a breaking change -- I'm looking at you netty-socketio!