Databases
Expand-contract: zero-downtime for breaking schema changes
Crux Any breaking change — rename, drop, type-change — decomposes into an expand (add) phase and a contract (remove) phase, each independently deployable and reversible.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at middle altitude — in the skyA team renames users.username to users.handle in one ALTER TABLE statement at deploy time. The migration commits instantly. But the rolling deploy is still in progress — old pods are still running SQL that references users.username. Every request from an old pod fails with “column does not exist”. A fast migration caused a real outage.
Why rename/drop/type-change cannot be done in one step
A rolling deploy — the only safe deploy strategy at any scale — runs old and new code simultaneously for seconds to minutes. If a migration commits before all old pods drain:
- Rename: old code references old column name →
column does not existerrors. - Drop: old code references dropped column → same.
- Type change: old code expects int, column is now text → type cast errors.
The invariant that must hold at every moment: the current schema is simultaneously compatible with the previous application version and the next one. A one-step rename, drop, or type change breaks this invariant.
The general expand-contract framework
Every breaking change decomposes into six phases:
| Phase | Migration action | Code action | Both versions compatible? |
|---|---|---|---|
| 1. Expand | Add new element alongside old | — | Yes — old code unaffected |
| 2. Dual-write | — | Write to both old and new | Yes — old reads old, new writes both |
| 3. Backfill | Copy historical data old → new in batches | — | Yes |
| 4. Cut over reads | — | Read from new, still write both | Yes — full rollback still possible |
| 5. Stop old writes | — | Write only to new | Yes — old element still present |
| 6. Contract | Drop the old element | — | Yes — no code references old element |
Column rename walkthrough: username → handle
The canonical example. Total span: 3–7 days.
Day 1 — Expand:
-- Migration 1: instant, no default
ALTER TABLE users ADD COLUMN handle TEXT;Day 1 — Dual-write deploy:
App code now writes both username and handle on every INSERT/UPDATE. Old code still reads username. New code reads username (for now).
Day 2 — Backfill:
-- Outside a migration transaction (batched loop):
UPDATE users SET handle = username
WHERE handle IS NULL
AND id BETWEEN :batch_start AND :batch_end;
-- Repeat until SELECT COUNT(*) FROM users WHERE handle IS NULL = 0Batches of 1k–10k rows, each a short transaction with pg_sleep(0.1) between.
Day 3 — Cut over reads:
Deploy code that reads handle exclusively. Writes still go to both columns. Watch dashboards for 24h.
Day 5 — Stop dual-write:
Deploy code that writes only handle. Wait for rolling deploy to complete.
Day 7 — Contract:
-- Migration 4: fast (metadata only)
ALTER TABLE users DROP COLUMN username;Every step is independently deployable and reversible. Zero-downtime throughout.
Down migrations are not rollback
Down migrations (reverse SQL of an up migration) appear in many tools (down.sql counterpart files). They work in development but are dangerous in production:
- A down migration that drops
handlealso destroys all the data that new code wrote to it. - If the up migration was
ADD COLUMN, the down isDROP COLUMN— destructive.
Production rollback is forward: write a new migration that corrects the problem, deploy it, and move forward. Treat down migrations as development scaffolding only.
- Typical span for a column rename
- 3–7 days
- Number of deploys for a column rename
- 5+ separate PRs
- Backfill batch size
- 1k–10k rows
- pg_sleep between batches
- 0.1 s (breathing room)
- Each phase: independently reversible?
- Yes
- Production rollback direction
- Forward (new migration)
Why this works
pgroll (by Xata) automates expand-contract via Postgres views. When you declare a migration that “renames username to handle”, pgroll creates a v1 view (exposes username) and a v2 view (exposes handle), both backed by the same underlying column, with triggers translating writes. Old pods connect with search_path = v1; new pods with search_path = v2. When migration completes, the v1 view is dropped. This collapses 5+ deploys into one declarative migration — at the cost of view-layer complexity in debugging and pg_dump output.
Quiz
Completed
Why can a direct RENAME COLUMN migration cause an outage during a rolling deploy?
Heads-up RENAME COLUMN is fast (metadata only). The problem is not the lock duration but the window where old code runs against a renamed schema.
Heads-up Postgres allows RENAME COLUMN with active connections; the issue is application-level compatibility during the deploy window.
Heads-up Application caches may be an issue, but the primary failure is live SQL references to the old column name from still-running old pods.
Quiz
Completed
At which phase of expand-contract is rollback easiest, and why?
Heads-up After the contract, the old element is gone — rollback would require restoring it from backup.
Heads-up Rollback during backfill is possible but requires stopping the backfill and cleaning up partial data.
Heads-up Before expand, no change has happened — but this is not a phase of the pattern itself.
Quiz
Completed
A team runs a down migration in production that drops the new column added in the up migration. What data is lost?
Heads-up The new app code writes to the new column from the moment the up migration completes; that data is dropped.
Heads-up DROP COLUMN removes both the definition and all stored values for that column.
Heads-up Postgres does not protect you from dropping columns with data; it executes DROP COLUMN as given.
- 01State the core invariant of expand-contract and explain why skipping the dual-write phase breaks it.
- 02Walk through the six phases of rename: username → handle, naming the migration or code change at each step.
- 03Why are down migrations unsafe in production and what is the correct production rollback strategy?
Recap
Expand-contract is the only correct pattern for zero-downtime rename, drop, or type-change migrations. It maintains a schema superset at every moment: both old and new code versions run simultaneously against a schema that supports both. A column rename becomes five independent deploys over 3–7 days: add new column (expand), deploy dual-write code, backfill historical rows in batches, deploy read-swap code, deploy drop-old-write code, then drop the old column (contract). Down migrations appear safe but destroy data already written by the new code; production rollback is always a forward migration that fixes the problem.
Connected lessons
deepens into
appears again in140
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- CLS: why layout shifts happen and how to stop themmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- The three-way handshakejunior
- Sequence numbers and connection statemiddle
- DNS: what it does and why it existsjunior
- The resolver walk: referrals, record types, and gluemiddle
- TTL, caching, and DNS propagationmiddle
- The 1-RTT handshake: key shares and ECDHEmiddle
- Session resumption and 0-RTTmiddle
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket frame format: opcodes, masking, fragmentationmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Health checks, connection draining, and slow startmiddle
- Session affinity, consistent hashing, and the right fixmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- Connection IDs and network migrationmiddle
- 0-RTT resumption and packet encryptionsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- PII redaction and log injectionsenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Error budget policy, latency SLOs, and composite journeysmiddle
- Production SLO failures, self-observability, security, and the big picturesenior
- The incident loop: from pager to postmortem to preventionmiddle
- Cache lines, struct layout, and false sharingmiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior