Beginning on March 1, 2017, Pivotal Cloud Foundry buildpacks will be updated monthly with each Pivotal Application Service release. This will make sure buildpacks stay up to date with security vulnerabilities, bug fixes, and new features. See below for more details.

In order to distribute buildpack security and bug fixes more quickly, simplify buildpack maintenance, and ensure platform components are compatible with buildpack updates, Pivotal is changing how buildpack updates are distributed to customers. This new approach is simpler for PCF operators and has fewer steps required to keep the platform up to date.

Currently, the buildpacks that are automatically deployed with Pivotal Application Service are only updated in minor releases of Pivotal Application Service. This means that deploying Pivotal Application Service 1.9.2 currently replaces your system buildpacks with the same buildpack versions that shipped with Pivotal Application Service 1.9.0.

After March 1, 2017, new monthly patch releases of Pivotal Application Service 1.8 and 1.9 will include the latest available versions of their included buildpacks. Furthermore, if a critical security vulnerability is discovered that affects a buildpack included with Pivotal Application Service, a Pivotal Application Service patch release will be created immediately after the vulnerability is addressed in the buildpack.

Best Practices for Buildpacks

Moving forward, we recommend that customers use Pivotal Application Service patch releases to keep their buildpacks updated. This means that we no longer recommend modifying the buildpacks that are included with Pivotal Application Service. This allows us to make stronger guarantees about the compatibility between the included buildpacks and your PCF deployment.

Please ensure that the buildpacks are not locked before upgrading to the latest Pivotal Application Service release. This can be verified by running `cf buildpacks` and reviewing the `locked` column in the output. If there are locked buildpacks please use the instructions here to modify the locked value to false.

We believe that buildpacks should always be kept up-to-date to mitigate any security issues with running old versions of the technology runtimes provided with the buildpacks. That said, we realize that some customers may not want the buildpacks included with Pivotal Application Service to be updated this frequently. Although it is not recommended, old buildpacks may be added to your PCF installation with different names to avoid replacement when Pivotal Application Service is updated.

Buildpacks for Legacy Pivotal Application Service Releases

Customers that are using Pivotal Application Service releases prior to March 1, 2017 will be required to update buildpacks manually which has been the normal process. Notes on managing buildpacks for these older elastic runtime releases can be found in this article.

Please reach out to Support if you have any questions about this change.