Tag. Publish. Hope.

Think about how carefully we ship applications: staged rollouts, canary analysis, automated rollback, observability at every step. Now think about how we ship libraries: Tag a version. Publish. Hope.

At Netflix, this blind spot caught up with us across thousands of libraries and 5,000+ repositories. Upgrades broke services overnight because nobody could see the blast radius beforehand. Security patches took days because we couldn't answer ""which libraries actually matter."" Teams deprecated libraries with no way to tell consumers ""hey, start planning your move."" So we set out to build a paved road for libraries.

Once we started digging, things got uncomfortable. Many libraries we considered ""actively maintained"" hadn't had a real human change in over a year, just bots keeping the lights on. We kicked off a major migration and couldn't tell which repos would be affected for over half the fleet. Basic questions, no answers. But the hardest part wasn't technical. It was cultural: how do you bring lifecycle governance to an org that values speed and autonomy without becoming the team everyone routes around?

This talk is about what we're learning as we build that paved road. It's an ongoing effort, not a finished product. I'll walk through the five things we think it needs: stability signals, compatibility validation, impact visibility, lifecycle communication, and proportional escalation. I'll share why we bet on tools that inform instead of block, why we started small and earned trust before scaling, and why ""people decide, tools guide"" became our north star.

We're also still figuring some things out. Where's the line between healthy maintenance and slow-motion abandonment? When should advisory become enforcement? How do you measure library health without turning it into a vanity metric?

We're done tagging, publishing, and hoping.