when to upgrade third-party components

We are using quite a few third-party components in our project. It seems like we are constantly getting email notifications that such-and-such component has released a new version. We always face a quandry on the team regarding when to incorporate the new version.

We know that on one hand

• It's easier to upgrade from one version to the next than to skip versions and
• It's better to be at the latest version when you need to ask for support

But on the other hand

• It takes time to do these upgrades -- development, QA regression testing, deployment, etc. and during this time we are not developing our own features

We would like to formulate a general policy about this. For example, a possible policy could be

as soon as the upgrade comes out, wait X amount of time, then incorporate the new version, regardless of what else is going on in the project or whether we need any new features or fixes

Or...

ignore all those upgrade emails and just upgrade if you need a new feature or fix

Or...

wait till a natural slow point in development (whatever that is) then upgrade everything to the latest version

Or... ???

Is th开发者_JS百科ere any research or guidelines out there regarding this topic?

Is there any research or guidelines out there regarding this topic?

Yes. Ask 12 managers and you'll get 18 opinions.

"as soon as the upgrade comes out, wait X amount of time, then incorporate the new version, regardless of what else is going on in the project or whether we need any new features or fixes".

Unthinking adherence to a schedule. Always a good idea.

"ignore all those upgrade emails and just upgrade if you need a new feature or fix"

"ignore"? How will you decide "if you need a new feature or fix" if you "ignore" notifications?

I have to assume that "ignore" doesn't mean "ignore" but means something else.

"wait till a natural slow point in development (whatever that is) then upgrade everything to the latest version"

Unthinking adherence to a schedule. Still a good idea.

Here's the bottom line.

You have to actually think about the upgrade and what it means.

• Security? High priority. You might want to stop development, test this, and put it in immediately.

• Bug Fix? High priority. You've been waiting for this. Of course you stop development, install it, and enjoy the benefits immediately.

• Random upgrade? Low priority. You might actually discuss this among developers and product owner to decide if you want it now or later.

There can't be a simple rule because there are so many different kinds of upgrades and so many different ways an upgrade will impact what you're delivering.

One rule of thumb is to avoid updating third-party components near the end of a release or iteration -- unless there's a damn good reason to make an exception.

As you note, updating a third-party component introduces additional cost. It also introduces additional risk. As you approach a ship date, acceptable levels of risk decrease.

As S. Lott mentions, there are sometimes exceptions. Security updates, bug fixes and enhancements might be important to your product -- or not.