John Tolar (JT)
Open to Engineering Manager / Director rolesLet's connect
Cases/A Minor Dependency Update Broke Production for 12 Hours
Incident Response

A Minor Dependency Update Broke Production for 12 Hours

A routine patch update to a date-formatting library changed its locale handling. The change was semver-compliant. Tests passed. The bug shipped to production and silently corrupted date-sensitive financial reports for 12 hours.

What's at stake
  • Financial reports rendering incorrect dates for 12 hours before detection
  • Downstream systems consuming the reports ingested corrupted data
  • Semver-compliant update passed all existing tests

Financial reports with wrong dates aren't just cosmetically broken — they trigger compliance violations when audited. Downstream systems that ingested the corrupted reports needed to be identified, notified, and re-fed corrected data. The blast radius extended beyond the application boundary.

The Scenario

You're the platform lead at a financial services company. A patch update to a date-formatting library shipped through your automated dependency pipeline and changed how dates render in certain locales. Tests passed — they don't cover locale-specific formatting. Financial reports have been rendering incorrect dates for 12 hours. You've identified the cause. What do you do about the dependency pipeline?

No hints. Just judgment.

The common mistake

Adding tests for the specific failure mode that just occurred is the intuitive response — close the gap that was exposed. But dependency changes are unpredictable by nature. You can't write tests for behavioral changes you haven't imagined yet. Test coverage for known failure modes is necessary but not sufficient. The gap that matters isn't the missing test — it's the missing validation layer between dependency change and production.

Lessons
  • Semver compliance doesn't guarantee behavioral compatibility — a bug fix in the library can be a breaking change in your application
  • Test passage validates logic, not behavior — add output validation for critical paths
  • Locking dependencies trades surprise breaks for unpatched vulnerabilities
  • The right gate between dependencies and production is behavioral validation, not just automated tests
  • Downstream blast radius matters — a bug in your output becomes a bug in every system that consumes it
Impact
  • Staged dependency pipeline caught 3 behavioral regressions in the first quarter
  • Zero dependency-related production incidents in the following 6 months
  • Output baseline validation adopted for all financial report paths
  • Mean time to dependency promotion: 4 hours (from 0), with full behavioral validation
← Back to all cases

Related

Incident Response

Production Pods Were Restarting Randomly

A production incident involving intermittent connection failures and unstable recovery behavior. The fix was surgical. The real lesson was about what not to do first.

Read more Incident Response

A Feature Flag We Forgot About Caused a Production Incident

A feature flag created 18 months ago was still in the codebase. When the flag provider had a timeout, the flag evaluated to its default value — which no longer matched the state of the system. The result was a data corruption bug that took three days to fully remediate.

Read more