Introduction

No one gets excited about technical debt, but when your APEX instance is still on 18.2 (or earlier), its “interest clock” is already ticking.

Oracle offers full support for only 18 months per APEX release. Upgrading usually takes less time than your weekly sprint demo; yet, thousands of production apps still run on outdated versions.

Staying current isn’t just about running the latest APEX version. It’s about proactively addressing deprecated features and aligning Instance, Workspace, and Applications settings with the latest features.

This post will follow a case study of a client running on-premises APEX (18.2) who is migrating to an Autonomous Transaction Processing Database (ATP) instance running on Oracle Cloud Infrastructure (OCI).

Case Study

The client went live with their old system when APEX 18.2 came out in the fall of 2018 (seven years ago). Premier support for APEX 18.2 ran out at the end of March 2023 (two years ago). I thought, “Wow, this client has been running their APEX environment for seven years and has had virtually no maintenance costs.”

APEX Remediations

This section describes APEX remediations I discovered while assessing the client’s APEX 18.2 environment for upgrade to APEX 24.2.

Include Legacy JavaScript

There are two checkboxes: ‘Pre 18.1’ and ‘18.x’. They tell APEX to load legacy JavaScript libraries found in /i/libraries/apex/legacy*.js. These incur unnecessary overhead and indicate that you are not taking good care of your APEX environment!

Include jQuery Migrate

Similar to the previous option, this is a crutch for Apps using legacy jQuery code.

Compatibility Mode

Certain APEX runtime behaviors change from one release to the next. This option allows you to avoid the impact of these changes during an upgrade. The release notes list compatibility mode changes dating back to APEX 4.1.

Upgrade Universal Theme

Not on the Universal Theme - Yikes!

In this use case, one of the apps did not use the Universal Theme. Migrating from legacy themes to the Universal Theme is a significant undertaking and will likely require remediation and possibly even a UI redesign. See the ‘Migrating from Other Themes’ tab of the Migration Guide in the APEX Universal Theme App to learn how to migrate to the Universal Theme.

Refreshing the Universal Theme

Assuming your Apps are using the Universal Theme, the steps to refresh it are simple and are laid out in the ‘Refresh Universal Theme’ tab of the Migration Guide in the APEX Universal Theme App.

Upgrade Application

Specific APEX components undergo changes in their implementation. For example, between APEX 23.1 and APEX 24.1, the Rich Text Editor changed frameworks three times from CKEditor > Tiny MCE > Oracle Rich Text Library. The Date Picker has undergone similar changes to its implementation.

While APEX does a good job of allowing old implementations to work alongside the new, it is good practice to update to the latest implementation when you upgrade APEX.

One way to do this is to run the Upgrade Application utility. This will provide a report of components that you should transition to, along with suggestions on changes to make based on updates to existing components.

While not all suggestions need to be actioned, it is worth checking this report after every upgrade. For example, in the above report, ‘Upgrade jQuery Date Picker to new Date Picker’ should be addressed.

Check Security Settings

This exercise provides an excellent opportunity to ensure that you have all the recommended security settings in place. While this list is not intended to be a comprehensive security checklist, it highlights settings that are incorrectly configured for this customer and are worth reviewing in your instance.

Application Level Authorization Scheme

Page Level Authorization Schemes

Application Security Runtime API Usage

These options restrict what impact an application can have on your APEX environment. For example, to use the API APEX_UTIL.CREATE_USER in an APEX Application, the application must permit modification of the workspace repository.

Bookmark Hash Function

This was set to MD5 and needed to be SHA-2, 512-bit.

Browser Caching

This was set on. I can’t think of any good reasons to have this switched on.

Session State Protection

Although this was set at the Application Level (which does nothing), it was only set for about half of the pages. Not having this set for every page makes URL tampering a real risk.

Session Management

While this was set for the applications in this case study, it is worth noting, especially for applications that haven’t been updated in a long time. Setting appropriate idle and session timeouts is essential.

Other Settings to Check

Friendly URLs

Enabling Friendly URLs changes how APEX handles URLs from the legacy f?p= syntax to a path-based syntax. It is also a prerequisite for enabling PWAs.

Progressive Web App

Enable the ‘Enable Progressive Web App’ setting as a minimum. This provides performance improvements by serving static files more efficiently using advanced caching. There are also other compelling PWA features worth considering.

Instance & Workspace Settings

As APEX evolves, new options are added at the Instance (INTERNAL/Administration Services) and Workspace levels. It is essential to verify these settings after an upgrade to ensure that any newly added options are configured correctly.

Instance

Some more recently added instance settings that you should check:

• Manage Instance > Security

  • AI Enabled (on by default)

  • Allow Persistent Auth (Off by default)

• Manage Instance > Instance Settings

  • Workflow Settings

  • Background Jobs

Not recent but worth checking anyway:

• Manage Instance > Security > Require HTTPS (should be on)

Workspace

Some more recently added workspace settings that you should check:

• Manage Workspaces > Existing Workspaces > Edit Workspace Information

  • AI Enabled

  • Maximum Background Page Process Jobs (on-premise only)

Plugins

The applications that were part of this exercise used five plugins. All of them are no longer actively supported. The good news is that they can all be replaced with standard functionality in APEX 24.2.

Tabular Forms

Tabular forms were used extensively. Tabular forms were deprecated in APEX 20.1 and are considered legacy.

Deprecated & De-Supported Features/APIs

Check for references to deprecated APEX features, PL/SQL, and JavaScript APIs. In my use case, I found calls to htmldb_mail.SEND and wwv_flow_mail.push_queue and usage of legacy data load definitions and tabular forms.

Modern Authentication

For this use case, the customer utilized a custom table-based Authentication Scheme with plain-text passwords. Legacy apps often use hardcoded custom authentication schemes that are now better handled with APEX Social sign-on and modern authentication providers, such as Active Directory and Okta.

This even applies to APEX Builder. Configuring APEX Builder to use SSO enhances the security of your development environment and streamlines login for your developers.

APEX Advisor

The APEX advisor appears to be receiving more attention from the APEX development team, and as of APEX 24.2, is starting to provide valuable insights again.

Release Notes

If all you did for each APEX upgrade were to read the release notes, you would be more than halfway there. Just look at the index. Why would you not want to know these things before upgrading?

What About ORDS?

Everything I have said about APEX applies to Oracle REST Data Services (ORDS). In every release, ORDS introduces new features, deprecations, performance improvements, and bug fixes. In short, whatever steps you take for APEX, you should also take for ORDS.

What About the Database?

The great thing about APEX running in the database is that with each major database release, APEX receives a direct boost in functionality and performance enhancements. When performing a database upgrade, review the new features to identify areas where you can utilize modern approaches and features. Some examples in 19c and 23ai include:

• Significant improvements to how you handle JSON in the database. This includes much more efficient JSON Parsing since 19c. It also enables the inclusion of additional attributes in a JSON column.

• Vector/Semantic search in 23ai significantly enhances search and serves as the building block for AI techniques, such as Retrieval-Augmented Generation (RAG).

• SQL Macros (since 19c) allow you to create parameterized views, which can boost the performance of your APEX reports.

• JSON Relational Duality Views provide a configurable JSON interface to relational tables.

Reasons to Stay Up to Date

1. Oracle Support - After a new version of APEX is released, Oracle provides support for it for 18 months.

2. Security - By running the latest version, you are running the most secure version of APEX. Also, remember to update the recommended security settings accordingly.

3. Return on Investment - Take advantage of the latest groundbreaking features by running the latest APEX version and enabling new features.

4. Performance - Take advantage of performance improvements included in the latest version.

5. Developer Productivity - The latest features make building APEX Apps even quicker.

6. Developer Sanity - Keep your developers happy (no one wants to be working on APEX 18.2).

Reasons Why We Don’t Stay Up to Date

For every reason why it is a good idea to stay up to date, there is another reason why people don’t:

1. Fear of breaking Apps with a lot of Custom JavaScript.

2. Fear of breaking something by making changes to settings.

3. Fear of breaking Plugins.

4. Lack of Resources to remediate and or regression test after every upgrade.

5. Locked into a Custom Theme that cannot be refreshed or converted to the Universal Theme.

How Can I Avoid This Fate?

Follow these steps to avoid the fate of the customer in my use case:

1. Avoid plugins unless they provide a measurable differentiator for your business. For example, APEX Office Print from United Codes provides functionality fundamental to business applications that are not available in APEX out of the box.

2. If your business depends on a Plugin, make sure you either know how to fix it yourself or that a reputable company, such as United Codes, supports it.

3. Check the release notes to see if the latest version has a feature that allows you to remove a plugin or simplify code.

4. Avoid JavaScript unless it is going to provide a measurable business impact.

5. Do not unsubscribe from the Universal Theme.

6. Upgrade APEX (and ORDS) at least once a year.

7. Read the release notes for every APEX release.

8. If you do not address the remediation issue in the current upgrade cycle, at least document it so that you are aware of the technical debt you are accumulating by not taking action. Documenting deferred remediations has the added benefit of giving you a list to process throughout the year. I suggest leaking them into your sprints while working on other changes to your Apps. You could also reserve a couple of dedicated sprints each year to handle remediation issues.

9. Build regression test scripts (manual or automated) to allow you to run regressions after each upgrade.

Conclusion

An aging APEX environment rarely screams for attention. All the same, it quietly accumulates risk, inefficiency, and missed opportunity. As this case study shows, the illusion of stability can mask a mounting backlog of deprecated features, security gaps, and unsupported components.

The payoff is modern security, faster performance, happier developers, and the freedom to adopt new features with confidence. Don’t let inertia become your architecture. Make staying current part of your culture, not just your roadmap.