At work in the middle of the night because of the stupid annoying criminals who exploit security holes for their own nefarious purposes; in this case, distributing pornography and malware.
I've found this to be the dark side of using open source web software. Exploits get published, and then these lowlifes write scripts to seek out and exploit vulnerable installations. Software I write myself is far less likely to get exploited, for two reasons:
a. Nobody knows I exist, and
b. Nobody researches and publishes security holes in my programs.
Good, old fashioned security through obscurity. It works - most of the time.
Now, the projects fix the holes, but staying on top of the newest releases of everything I use is tough for me - I'm a part-time student employee and the only maintainer of a college department web site. I have enough other things to do that updates fall by the wayside - especially when I need to re-apply modifications to the new version.
That's what I'm doing now. An extensively modified app got exploited, and it's heavily used too, so I'm doing the upgrade in the middle of the night. Worse, we have three instances that have been customized in different ways. Sigh.
At least the users will get a better experience out of the deal.