diff --git a/Dockerfile b/Dockerfile
index 8ccf00f..13c43b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 ARG RUNTIME_VERSION="3.10"
 ARG DISTRO_VERSION="3.16"
-ARG PULUMI_VERSION="3.36.0"
+ARG PULUMI_VERSION="3.38.0"
 
 FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION} AS builder
 ARG PULUMI_VERSION
diff --git a/cloudbender/cli.py b/cloudbender/cli.py
index f08f39a..83a7367 100644
--- a/cloudbender/cli.py
+++ b/cloudbender/cli.py
@@ -444,14 +444,19 @@ def _provision(cb, stacks):
     """Utility function to reuse code between tasks"""
     for step in sort_stacks(cb, stacks):
         if step:
-            # if there are any Pulumi stacks in the step execute serial
+            # Pulumi is not thread safe, so for now one by one
             if _anyPulumi(step):
                 for stack in step:
-                    status = stack.get_status()
-                    if not status:
-                        stack.create()
+                    if stack.mode != "pulumi":
+                        status = stack.get_status()
+                        if not status:
+                            stack.create()
+                        else:
+                            stack.update()
+
+                    # Pulumi only needs "up"
                     else:
-                        stack.update()
+                        stack.create()
 
             else:
                 with ThreadPoolExecutor(max_workers=len(step)) as group:
diff --git a/cloudbender/pulumi.py b/cloudbender/pulumi.py
index ea710a4..52908a6 100644
--- a/cloudbender/pulumi.py
+++ b/cloudbender/pulumi.py
@@ -109,12 +109,11 @@ def pulumi_ws(func):
             except KeyError:
                 raise KeyError("Missing pulumi.backend setting !")
 
+            # Ugly hack as Pulumi currently doesnt support MFA_TOKENs during role assumptions
+            # Do NOT set them via 'aws:secretKey' as they end up in the self.json in plain text !!!
             account_id = self.connection_manager.call(
                 "sts", "get_caller_identity", profile=self.profile, region=self.region
             )["Account"]
-
-            # Ugly hack as Pulumi currently doesnt support MFA_TOKENs during role assumptions
-            # Do NOT set them via 'aws:secretKey' as they end up in the self.json in plain text !!!
             self.connection_manager.exportProfileEnv()
 
             # Secrets provider
diff --git a/cloudbender/stack.py b/cloudbender/stack.py
index cf07e95..add3677 100644
--- a/cloudbender/stack.py
+++ b/cloudbender/stack.py
@@ -782,20 +782,10 @@ class Stack(object):
 
             return status
 
-    @pulumi_ws
     @exec_hooks
     def update(self):
         """Updates an existing stack"""
 
-        # We cannot migrate directly so bail out if CFN stack still exists
-        if self.mode == "pulumi":
-            logger.error(
-                "Cloudformation stack {} still exists, cannot use Pulumi!".format(
-                    self.stackname
-                )
-            )
-            return
-
         # Prepare parameters
         self.resolve_parameters()
 
diff --git a/requirements.txt b/requirements.txt
index 2fef9e7..8a353c5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,10 +5,11 @@ click
 pexpect
 python-minifier
 cfn-lint>=0.34
-pulumi>=3.35.0
+pulumi>=3.38.0
 pulumi-aws>5.0.0
 pulumi-aws-native
 pulumi-policy
+pulumi-command
 
 # flake8
 # pytest