Yeah, every so often I spend 5 minutes and run apt upgrade. I don't think the DB has ever been upgraded because there's no reason to. It's not exposed to the Internet anyway.
Your DB doesn't need to be connected to the internet for untrusted users to have a path for interacting with it. I assume your application sends queries to it, for example. And users give your application the parameters for those queries.
And that's when things are working as expected. All it takes is for one of your non-DB services to be compromised, and an attacker can now connect to the DB on localhost. That's why it's best practice to put a secure password on your DB even if you only expect connections from local services. And yes, you should upgrade it too... or at least apply security patches.
Lol, the amount of databases running real production heavy workloads for the biggest companies in the world that haven't been updated in 10y is probably very high :) at least the ones I've seen ..
> This has worked for years with zero maintenance.
Do you apply security updates, e.g. for Caddy, the OS, db, etc.?