Comment by londons_explore

If I were designing the software, there would be a module which can upgrade a file format from version N to N+1.

That code is written in some kind of sandboxed VM/bytecode. You freeze the bytecode when you release a version.

When you release version 20 of the app, it has bytecode to convert 1 -> 2, 2->3, 3->4, etc, all the way to version 20. When it finds an old file, it runs all the updates as necessary.

If there is a bug in the updaters, it stays there forever.

If there is a security problem with the updaters, thats whats the sandbox is for.