In March 2024, I receive a ticket to upgrade some dependencies. PHP 7.4PHP 8.2, along with WordPress and two PHP libraries that also needed upgrades to work with the latest version.

Note that this is a year and change after the PHP 7.4 end-of-life date, which was November of 2022. So this site has already been running an outdated and insecure version of PHP for a long, long time.

The main GitHub pull request says 1443 files were changed with +28,182 additions and −64,397 deletions. This is only because the vendor package files are committed to the repo. The actual number of files changed is -- wait for it -- 12. The actual number of lines of code changed -- 40. There are two other repositories that this code change touched, but I'd still estimate the actual, total number of changed lines is right around 100.

Most of the work looked something like this:

- context[ 'term' ] = new Timber\Term();
+ $context[ 'term' ] = Timber::get_term();

The actual work lasted about two weeks. Most of the "two weeks" wasn't actually working on this. There were other priorities. It Could Have Been Faster™.

Once I wrapped up the work, the project manager literally ignored the ticket and refused to do QA. This is despite [1] me following up three times in as many weeks; [2] the project manager Slacking me to tell me they know they owed me a review.

I brought my manager in to the ticket, who was equally useless and asked one question to the client. It was also necessary for me to answer a very basic question, essentially amounting to how to run wp site list in WP-CLI to get the current domains out of the multisite environment. Not particularly useful.

I have legitimately no idea how the person responsible for the developer team productivity takes no action on the project manager's complete abdication of a core job responsibility. I have legitimately no idea how the same person is in charge of technical architecture and code work and can't answer that not-so-technical question. But hey, what do I know.

The project manager was "replaced." They did not suffer any actual consequence, just got moved off the project, and are currently free on newer and other projects to engage in such echelons of graceful project management expertise as:

• "lol I didn't follow up on that super important client question/request."
• "lol I don't have access to the thing I've accessed previously during screenshare, whose password lives in our shared password vault."
• my personal favorite -- sitting silently in meetings while vacantly staring at whatever on their screen, apparently a worthy presence despite zero contribution. Don't worry bro, no one actually sees you burning your timesheet, you're totally pulling the wool over our eyes (wait actually, shit, it is working -- nobody who actually cares about timesheets is detecting this farce).

Truly, we could all learn a little something about "success" from this human.

The new project manager moved things along at a better clip than "absolute zero" -- but by now the client also abandoned the ticket and didn't seem to care whether it moved or not.

I took a cue and let it sit the next month or three. I'd done my part in following up and escalating. I'm not going to be the only person tugging uselessly at sleeves trying to get something fixed. I have other things to do, and literally begging after people to do the bare minimum is not a particularly beloved experience.

Please note that I did underline -- several times and several ways -- leaving an unsupported PHP version and out-of-date dependencies was not a good idea and was exposing the client to various security risks.

I did eventually escalate the ticket further to my skip-level manager. I got the response, "wow, this ticket is a legal liability for us, we're responsible for upgrading their dependencies, that's what they pay us for." Escalating was not helpful beyond that. That meeting was more or less an overarching "what can we do to make your job better?" type of conversation. The feedback I eventually extracted from it was "we need you to communicate more." Totally fair and accurate (sarcasm, very much sarcasm).

In ~January 2025, the client did start providing piecemeal feedback in drips and drabs. Hooray!

Except wait, what's this? There's a new ticket! The client started another ticket about the same site being vulnerable to XSS, even providing a neat proof of concept.

You may have already guessed... the dependency upgrades still languishing in the test environment did indeed fix the XSS.

A month later, March 2025, a full year after the ticket was initially opened -- we're finally almost ready to launch. The client provides one last bit of feedback -- some line heights in an unordered list had changed in an unobtrusive way no one would ever notice unless they compared side-by-side.

Truly the highest echelons of priority in the face of XSS vulnerabilities and now two-years-and-counting dead versions of PHP. The technical equivalent of rearranging deck chairs on the Titanic, critiquing the paint color on a collapsing bridge, shoveling snow in an avalanche.

The client organization pays us somewhere north of $150 per hour to upgrade dependencies and we can't even get that shit right.

The client point of contact is an extremely intelligent person with a Masters in Computer Science, with 10 years at this current job, who wrote most of the code and architected the sites we're now updating.

The client organization is very literally a top university in the entire US, if not the entire world, a "world class" research university.

The client site is the type where, if it were to be hacked, it would probably make the national news. This is also the type of high-profile site for which there some very nefarious people would just love the opportunity to deface or steal data.

Pretty much the only saving grace is that this site lives on an isolated server environment and almost nothing of actual consequence, data-wise, could be extracted. It's a locked-down site not intended for public consumption, but it's essentially a sort of intranet and doesn't seem to host anything about (for example) students attending the school or professors who teach at the school. It doesn't have any accesses to deeper servers hosting actual research or other information of critical-priority importance. So there's that... tiny, tiny silver lining, I guess.

No one has any fucking clue what is going on. The people doing the actual work at the bottom are screaming and waving their arms and jumping up and down, while being ignored and informed it's a "not following up enough" personal failing. There is zero actual accountability for anything. No one gives a fuck now and no one will ever give a fuck until and unless it causes an actual problem. And then, of course, it will be a hair-in-fire, all-hands-on-deck, yelling and shouting emergency.

Dad has said to me many times over life that "codes are written in blood." He was an electrician before he retired and he stressed that to me. Rules about how things should be built and how work should progress are only rules because people very literally died when things were shoddily built and build rules were not followed. Digital infrastructure has no such visible carnage; the slow leak of all our passwords, personal information, and digital lives does not stain the pavement. So -- nobody seems to care.

It should not take twelve months to move 100 lines of code and some dependency upgrades from development to production. There is no universe in which this makes sense. We are not building or maintaining code that cannot be changed after the fact, this really isn't sending a rocket to the moon or shipping games on disc or running critical and life-saving medical technology or any other myriad situations where code really must be perfect.

This is a goddamn internal brochure site. It really isn't that hard.

(And I fucking hate the "it's not that hard" sentiment.

Because yes, actually, life is hard. Not only are there are dozens of more important personal responsibilities that don't involve the soul-sucking slog of dependency upgrades, there is -- I promise, I swear! -- actual fun to be had in the enjoyment in being "alive and breathing." It is legitimately hard to dedicate time, cares, and attention to something as boring and terrible as this ticket.

I don't set full blame any of the individual humans involved in this situation -- I do understand they're all probably subject to their own same death-by-a-thousand-cuts as I was through this ticket. I don't actually fault anyone for burning a timesheet in a meeting unproductively. I don't think it's possible or reasonable for a manager to know all the technical details of everything. I don't think it's possible to be accountable or responsible in environments such as these without literally losing your mind.)

But it does not have to be year-long torture-session hard. It should not take escalating through three levels of responsibility to -- wait, I forgot, escalating didn't actually do anything, so I might as well have simply not done that at all. Waste of time, waste of breath, waste of sanity.

I wish I could turn off the caring and happily, carefreely just ship slop along with everyone else but I cannot. This ticket lives in my head and bothers me. It doesn't haunt my every waking moment, no, but I've thought about it on and off over the past year and every time I growl a little void-flavored noise of frustration and pain. I don't particularly like or enjoy having work hanging over my head for a year, but I also let the ball drop. It is stupid-hard (impossible?) to continue caring when it's blatantly obvious almost no one else expends their precious fucks. If I still cared the way I cared in 2022 and earlier, I would very literally find myself in a padded room or with my arms flayed open wrist to elbow.

It is that degree of frustrating, disheartening, and straight-up crazymaking. I almost lost my head stressing about work once previously. I had to make myself okay with letting things fail and intentionally avoiding the assumption of excessive personal responsibility. Even though it still really bothers me when things like this do not get fixed in a timely manner, and everyone else involved seems more invested in career-building self-fellation or spreadsheet-reading or Tiktok doomscrolling or whatever the fuck it is they do at work instead of actually working.

I'm tired, boss.

This is the current state, in the Year of Our Lord 2025, of people you trust with your entire digital identity, your data, your actual important infrastructure.