<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: endoflife-ai</title>
    <description>The latest articles on DEV Community by endoflife-ai (@endoflifeai).</description>
    <link>https://dev.to/endoflifeai</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3921242%2Fb89c05cb-aee1-49c6-b4b9-11d2c94028a8.png</url>
      <title>DEV Community: endoflife-ai</title>
      <link>https://dev.to/endoflifeai</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/endoflifeai"/>
    <language>en</language>
    <item>
      <title>endoflife.ai is now available as an MCP server</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Tue, 30 Jun 2026 15:19:43 +0000</pubDate>
      <link>https://dev.to/endoflifeai/endoflifeai-is-now-available-as-an-mcp-server-3do0</link>
      <guid>https://dev.to/endoflifeai/endoflifeai-is-now-available-as-an-mcp-server-3do0</guid>
      <description>&lt;p&gt;AI agents can now query software end-of-life dates and EOL Risk Scores directly from endoflife.ai — 459+ products, 8,000+ versions, updated daily.&lt;/p&gt;

&lt;p&gt;Connect it in one line:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"mcpServers"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"endoflife"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"url"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"https://mcp.endoflife.ai"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Ask your agent "is Node 18 still supported?" or "what's the risk score for PostgreSQL 14?" and get a live answer pulled from our dataset — including whether the product appears on CISA's Known Exploited Vulnerabilities list.&lt;/p&gt;

&lt;p&gt;No API key required. Full docs at &lt;a href="https://endoflife.ai/mcp" rel="noopener noreferrer"&gt;https://endoflife.ai/mcp&lt;/a&gt;&lt;/p&gt;

</description>
      <category>mcp</category>
      <category>ai</category>
      <category>devtools</category>
      <category>security</category>
    </item>
    <item>
      <title>Ember.js End of Life: The LTS Cadence &amp; Every Version EOL Date</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Fri, 26 Jun 2026 17:39:19 +0000</pubDate>
      <link>https://dev.to/endoflifeai/emberjs-end-of-life-the-lts-cadence-every-version-eol-date-1463</link>
      <guid>https://dev.to/endoflifeai/emberjs-end-of-life-the-lts-cadence-every-version-eol-date-1463</guid>
      <description>&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://endoflife.ai/article-emberjs-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Ember.js moves on a steady release train, designating Long-Term Support (LTS) releases on a regular cadence — which means older versions reach end of life just as steadily. As of now, &lt;strong&gt;Ember 6.x is the current line&lt;/strong&gt;, with &lt;strong&gt;6.8 and later supported&lt;/strong&gt;; &lt;strong&gt;Ember 6.4 reached EOL on June 21, 2026&lt;/strong&gt;, and &lt;strong&gt;every 5.x release and earlier is end of life&lt;/strong&gt;, including the once-ubiquitous 3.28 LTS.&lt;/p&gt;

&lt;h2&gt;
  
  
  Ember version EOL schedule
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;End of Life&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Risk Score&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Ember ≤ 4.x&lt;/td&gt;
&lt;td&gt;2023 – 2024&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;60&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ember 5.4 (LTS)&lt;/td&gt;
&lt;td&gt;Dec 22, 2024&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;55&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ember 5.8 (LTS)&lt;/td&gt;
&lt;td&gt;Jun 15, 2025&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;50&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ember 5.12 (LTS)&lt;/td&gt;
&lt;td&gt;Oct 12, 2025&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;50&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ember 6.4 (LTS)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Jun 21, 2026&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Just EOL&lt;/td&gt;
&lt;td&gt;35&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ember 6.8 (LTS)&lt;/td&gt;
&lt;td&gt;Dec 7, 2026&lt;/td&gt;
&lt;td&gt;Supported&lt;/td&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ember 6.11+ (latest)&lt;/td&gt;
&lt;td&gt;Active&lt;/td&gt;
&lt;td&gt;Current&lt;/td&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  How Ember's LTS cadence works
&lt;/h2&gt;

&lt;p&gt;Ember releases on a roughly six-week train and periodically blesses a release as &lt;strong&gt;LTS&lt;/strong&gt;. The LTS releases are what most teams target — they get a longer, fixed support window than the six-week releases. When that window ends, the LTS (and everything before it) is EOL.&lt;/p&gt;

&lt;p&gt;A new LTS arrives roughly every couple of quarters, and an older one drops off at a similar rhythm. Like Angular, Ember rewards a standing upgrade habit: stay on the current or immediately-previous LTS and upgrades are small; let several windows pass and the gap compounds.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Target the LTS, not the bleeding edge.&lt;/strong&gt; Pin to the most recent LTS (or the one just behind it with an upgrade scheduled), put its EOL date in your roadmap, and move before it lands.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  The Octane shift — why 3.x apps got stuck
&lt;/h2&gt;

&lt;p&gt;The reason so many Ember apps are stranded years back isn't the cadence — it's &lt;strong&gt;Octane&lt;/strong&gt;. Ember Octane (default in the 3.x series) modernised Ember substantially: Glimmer components, tracked properties, native classes, and a move away from the classic object model. A genuine improvement, but it changed enough idioms that migrating a large classic-Ember app is real work.&lt;/p&gt;

&lt;p&gt;Many teams paused on a late classic 3.x release — &lt;strong&gt;3.28 being the common resting point&lt;/strong&gt; — and never jumped. Those apps are now multiple majors and several years past EOL (3.28 has been EOL since January 2023).&lt;/p&gt;

&lt;h2&gt;
  
  
  Ember 6.x — the supported line
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ember 6.8 LTS&lt;/strong&gt; (supported through December 2026) is the conservative target; the latest release (6.11+) carries the newest features and longest runway. Both score 20 (Low). Modern Ember is Octane-by-default and considerably leaner than the 3.x-era apps people remember.&lt;/p&gt;

&lt;h2&gt;
  
  
  Upgrading with ember-cli-update
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Find your version and LTS gap.&lt;/strong&gt; &lt;code&gt;ember --version&lt;/code&gt; + &lt;code&gt;package.json&lt;/code&gt;, cross-referenced against the table.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Run &lt;a href="https://github.com/ember-cli/ember-cli-update" rel="noopener noreferrer"&gt;ember-cli-update&lt;/a&gt;, one LTS at a time.&lt;/strong&gt; It migrates files/config toward a target and surfaces diffs to resolve. Step LTS to LTS rather than jumping the whole gap.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Clear deprecations before each major.&lt;/strong&gt; Ember's deprecation warnings are your migration checklist.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Adopt Octane idioms where you're still classic.&lt;/strong&gt; Glimmer components, tracked properties, native classes — codemods handle much of it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Update addons in lockstep.&lt;/strong&gt; A lagging addon is the most common blocker; replace any that are abandoned.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Stranded on classic Ember?
&lt;/h2&gt;

&lt;p&gt;Apps pinned to 3.28 or earlier sometimes need a real, scheduled project to reach a supported 6.x — the Octane jump plus the version gap is genuine work. &lt;strong&gt;Extended support&lt;/strong&gt; can keep an EOL Ember app patched in the interim.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Full guide, live per-LTS Risk Scores, and the rest of the framework lifecycle data at &lt;a href="https://endoflife.ai/article-emberjs-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;. Check your whole stack free with the &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>javascript</category>
      <category>webdev</category>
      <category>ember</category>
      <category>frontend</category>
    </item>
    <item>
      <title>Bootstrap End of Life: EOL Dates &amp; the jQuery Problem</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Fri, 26 Jun 2026 17:38:26 +0000</pubDate>
      <link>https://dev.to/endoflifeai/bootstrap-end-of-life-eol-dates-the-jquery-problem-53b0</link>
      <guid>https://dev.to/endoflifeai/bootstrap-end-of-life-eol-dates-the-jquery-problem-53b0</guid>
      <description>&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://endoflife.ai/article-bootstrap-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Bootstrap is one of the most widely deployed front-end frameworks on the web — and most of that deployment is on versions that are &lt;strong&gt;end of life&lt;/strong&gt;. &lt;strong&gt;Bootstrap 5 is the only maintained line&lt;/strong&gt; (Risk Score 20, Low). Bootstrap 4 reached &lt;strong&gt;end of life on December 31, 2022&lt;/strong&gt;, Bootstrap 3 back in &lt;strong&gt;July 2019&lt;/strong&gt;, and Bootstrap 2 over a decade ago — yet millions of production sites still run 3 and 4.&lt;/p&gt;

&lt;p&gt;And Bootstrap carries a risk most CSS frameworks don't: &lt;strong&gt;Bootstrap 3 and 4 depend on jQuery&lt;/strong&gt;, so running them means running a &lt;em&gt;second&lt;/em&gt; end-of-life dependency.&lt;/p&gt;

&lt;h2&gt;
  
  
  Bootstrap version EOL schedule
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;End of Life&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Risk Score&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Bootstrap 2&lt;/td&gt;
&lt;td&gt;Aug 18, 2013&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;60&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Bootstrap 3&lt;/td&gt;
&lt;td&gt;Jul 23, 2019&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;60&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Bootstrap 4&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Dec 31, 2022&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;60&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Bootstrap 5 (current)&lt;/td&gt;
&lt;td&gt;Maintained&lt;/td&gt;
&lt;td&gt;Supported&lt;/td&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  The real risk of EOL Bootstrap
&lt;/h2&gt;

&lt;p&gt;Bootstrap is mostly CSS, so how dangerous is an EOL version really? Less acutely dangerous than an EOL database or runtime, but not zero — and concentrated in three places:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;The JavaScript components.&lt;/strong&gt; Tooltips, popovers, modals, the data-attribute API process input and write to the DOM. Older Bootstrap had real XSS vulnerabilities in exactly these (the &lt;code&gt;data-*&lt;/code&gt; sanitizer in particular), patched in later 3.x/4.x point releases. Pinned to an old minor? You may be missing those fixes, with no more coming.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The frozen ecosystem.&lt;/strong&gt; EOL Bootstrap locks you to themes, plugins, and build tooling that are themselves unmaintained — and, for 3/4, to a specific old jQuery.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Browser drift.&lt;/strong&gt; Layout/behaviour bugs accumulate as browsers evolve, never to be fixed upstream.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The jQuery problem in Bootstrap 3 &amp;amp; 4
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Bootstrap 3 and 4 require jQuery — Bootstrap 5 removed it entirely.&lt;/strong&gt; So an EOL Bootstrap 3/4 site is almost always also shipping jQuery, usually an old one. Any jQuery below 3.5.0 carries known XSS (CVE-2020-11022/11023). "We're just on old Bootstrap" frequently means "we're also serving vulnerable jQuery" — two EOL dependencies for the price of one.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Upgrading to Bootstrap 5 isn't only a CSS modernisation — it &lt;em&gt;removes&lt;/em&gt; the jQuery dependency (Bootstrap 5's JS is vanilla), eliminating an entire class of EOL exposure in one move. See the &lt;a href="https://endoflife.ai/article-jquery-eol" rel="noopener noreferrer"&gt;jQuery EOL guide&lt;/a&gt; for which jQuery versions are dangerous.&lt;/p&gt;

&lt;h2&gt;
  
  
  Bootstrap 5 — the maintained line
&lt;/h2&gt;

&lt;p&gt;Bootstrap 5 is the only line still receiving updates (Risk Score 20). It dropped jQuery for vanilla JS, added a CSS custom-properties layer, expanded the utility API, and added built-in RTL support. &lt;strong&gt;Moving Bootstrap 4 → 5 also sheds the jQuery liability — the rare upgrade that reduces your dependency count rather than growing it.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Migrating to Bootstrap 5
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Confirm which Bootstrap (and jQuery) you ship.&lt;/strong&gt; Check your bundle, not your &lt;code&gt;package.json&lt;/code&gt; — old Bootstrap hides in vendored CSS and CMS themes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Update the class names.&lt;/strong&gt; &lt;code&gt;ml-*&lt;/code&gt;/&lt;code&gt;mr-*&lt;/code&gt; → &lt;code&gt;ms-*&lt;/code&gt;/&lt;code&gt;me-*&lt;/code&gt;, &lt;code&gt;.no-gutters&lt;/code&gt; → &lt;code&gt;.g-0&lt;/code&gt;, &lt;code&gt;.custom-*&lt;/code&gt; form classes folded into &lt;code&gt;.form-*&lt;/code&gt;, and &lt;code&gt;data-*&lt;/code&gt; gained a &lt;code&gt;bs-&lt;/code&gt; prefix (&lt;code&gt;data-bs-toggle&lt;/code&gt;). Mostly find-and-replace.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Remove jQuery-dependent JavaScript.&lt;/strong&gt; Replace &lt;code&gt;$('...').modal()&lt;/code&gt;-style calls with the Bootstrap 5 JS API; audit your own code so you can drop jQuery entirely.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Re-test interactive components and responsive layouts.&lt;/strong&gt; Modals, dropdowns, tooltips, the grid, custom themes. Note: Bootstrap 5 dropped IE support.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Adopt the new layers as you go.&lt;/strong&gt; Lean on CSS custom properties and the utility API to retire bespoke overrides.&lt;/li&gt;
&lt;/ol&gt;




&lt;p&gt;&lt;em&gt;Full guide and live data at &lt;a href="https://endoflife.ai/article-bootstrap-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;. Bootstrap rarely travels alone — scan your whole front-end free with the &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>css</category>
      <category>webdev</category>
      <category>javascript</category>
      <category>frontend</category>
    </item>
    <item>
      <title>jQuery End of Life: What's Actually EOL (and What Isn't)</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Fri, 26 Jun 2026 17:37:22 +0000</pubDate>
      <link>https://dev.to/endoflifeai/jquery-end-of-life-whats-actually-eol-and-what-isnt-496c</link>
      <guid>https://dev.to/endoflifeai/jquery-end-of-life-whats-actually-eol-and-what-isnt-496c</guid>
      <description>&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://endoflife.ai/article-jquery-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Let's clear up the most-searched question first: &lt;strong&gt;jQuery is not end-of-life.&lt;/strong&gt; jQuery core is still actively maintained — the 3.x line gets security releases and 4.x is the modern successor. On the &lt;a href="https://endoflife.ai/risk-score" rel="noopener noreferrer"&gt;EOL Risk Score&lt;/a&gt;, jQuery sits at just &lt;strong&gt;20 (Low)&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;But that headline hides the real problem. The parts of the jQuery ecosystem most sites depend on &lt;em&gt;are&lt;/em&gt; end-of-life: &lt;strong&gt;jQuery 1.x and 2.x got no releases since 2016&lt;/strong&gt;, &lt;strong&gt;jQuery UI reached EOL on August 5, 2024&lt;/strong&gt;, and jQuery Mobile was archived years ago. And the catch the Low score doesn't capture — &lt;strong&gt;old jQuery versions carry known, patchable XSS vulnerabilities.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  jQuery core versions — what's maintained
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;Maintenance reality&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Risk Score&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;jQuery 1.x&lt;/td&gt;
&lt;td&gt;No releases since 1.12.4 (May 2016)&lt;/td&gt;
&lt;td&gt;Unmaintained&lt;/td&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;jQuery 2.x&lt;/td&gt;
&lt;td&gt;No releases since 2.2.4 (May 2016)&lt;/td&gt;
&lt;td&gt;Unmaintained&lt;/td&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;jQuery 3.x&lt;/td&gt;
&lt;td&gt;Maintained · latest 3.7.1&lt;/td&gt;
&lt;td&gt;Maintained&lt;/td&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;jQuery 4.x&lt;/td&gt;
&lt;td&gt;Newest line · drops legacy IE&lt;/td&gt;
&lt;td&gt;Current&lt;/td&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;"No EOL date" ≠ "no updates."&lt;/strong&gt; jQuery 1.x/2.x have a Low score because jQuery never formally declared them EOL — but the project stopped shipping releases for both in May 2016. In practice they're unmaintained; the only supported path is 3.x or 4.x.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  The real risk: old versions, known CVEs
&lt;/h2&gt;

&lt;p&gt;The EOL Risk Score measures &lt;em&gt;lifecycle status&lt;/em&gt;. It doesn't track &lt;em&gt;version-specific&lt;/em&gt; vulnerabilities — and jQuery has well-known ones fixed in specific releases:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2020-11022 and CVE-2020-11023&lt;/strong&gt; — XSS flaws fixed in &lt;strong&gt;jQuery 3.5.0&lt;/strong&gt; (April 2020). Any jQuery older than 3.5.0 — all of 1.x/2.x and early 3.x — is vulnerable.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2019-11358&lt;/strong&gt; — prototype pollution via &lt;code&gt;jQuery.extend&lt;/code&gt;, fixed in &lt;strong&gt;jQuery 3.4.0&lt;/strong&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;If you're running jQuery below 3.5.0, you're shipping known XSS to your users.&lt;/strong&gt; The fix is free: upgrade to current 3.x (3.7.1) or 4.x.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;This is the same blind spot covered in &lt;a href="https://endoflife.ai/article-cve-blind-spot" rel="noopener noreferrer"&gt;the CVE blind spot&lt;/a&gt; — lifecycle status and CVE exposure are two different axes, and you have to check both.&lt;/p&gt;

&lt;h2&gt;
  
  
  jQuery UI &amp;amp; jQuery Mobile — the EOL pieces
&lt;/h2&gt;

&lt;p&gt;Unlike jQuery core, &lt;strong&gt;jQuery UI is genuinely end-of-life&lt;/strong&gt; — dated to August 5, 2024, with a Risk Score of 55 (Elevated). The widget library (datepickers, dialogs, autocomplete) is no longer developed. &lt;strong&gt;jQuery Mobile&lt;/strong&gt; went further — archived and deprecated years ago.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Replacements:&lt;/strong&gt; modern component libraries or native HTML (&lt;code&gt;&amp;lt;dialog&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;input type="date"&amp;gt;&lt;/code&gt;) cover most jQuery UI use cases.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to fix it
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Find which jQuery version you actually ship.&lt;/strong&gt; &lt;code&gt;jQuery.fn.jquery&lt;/code&gt; prints the loaded version in the console. Anything below 3.5.0 is a priority.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Add &lt;a href="https://github.com/jquery/jquery-migrate" rel="noopener noreferrer"&gt;jQuery Migrate&lt;/a&gt;.&lt;/strong&gt; It restores deprecated APIs and logs every deprecation your code hits — a checklist from your real usage. Use it as a temporary bridge.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Upgrade to current jQuery 3.x (3.7.1).&lt;/strong&gt; Closes the known XSS CVEs; most compatible target.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Replace jQuery UI and jQuery Mobile.&lt;/strong&gt; Separately EOL — swap for maintained components or native controls.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Consider whether you still need jQuery.&lt;/strong&gt; Much of what it was indispensable for is now native (&lt;code&gt;querySelectorAll&lt;/code&gt;, &lt;code&gt;fetch&lt;/code&gt;, &lt;code&gt;classList&lt;/code&gt;). The goal is "patched," not necessarily "removed."&lt;/li&gt;
&lt;/ol&gt;




&lt;p&gt;&lt;em&gt;Full guide and live data at &lt;a href="https://endoflife.ai/article-jquery-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;. Scan your front-end free with the &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>javascript</category>
      <category>webdev</category>
      <category>jquery</category>
      <category>security</category>
    </item>
    <item>
      <title>Angular End of Life: The 18-Month Treadmill &amp; Every EOL Date</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Fri, 26 Jun 2026 17:36:09 +0000</pubDate>
      <link>https://dev.to/endoflifeai/angular-end-of-life-the-18-month-treadmill-every-eol-date-1eml</link>
      <guid>https://dev.to/endoflifeai/angular-end-of-life-the-18-month-treadmill-every-eol-date-1eml</guid>
      <description>&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://endoflife.ai/article-angular-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Angular — the TypeScript framework, versions 2 through 21 — has one of the shortest support windows in mainstream front-end development: &lt;strong&gt;roughly 18 months per major version&lt;/strong&gt;. A new major ships about every six months, so a version reaches end of life &lt;strong&gt;every six months too&lt;/strong&gt;. Right now, &lt;strong&gt;Angular 19 has already reached EOL (May 18, 2026)&lt;/strong&gt;, and only Angular 20 and 21 are still supported.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;This is a different product from &lt;strong&gt;AngularJS (1.x)&lt;/strong&gt;, which is a separate, fully end-of-life framework. Don't confuse the two — this covers modern Angular (2+).&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Angular version EOL schedule
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;End of Life&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Risk Score&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Angular ≤ 15&lt;/td&gt;
&lt;td&gt;2021 – May 2024&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;70&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Angular 16&lt;/td&gt;
&lt;td&gt;Nov 7, 2024&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;65&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Angular 17&lt;/td&gt;
&lt;td&gt;May 14, 2025&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;65&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Angular 18&lt;/td&gt;
&lt;td&gt;Nov 20, 2025&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;60&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Angular 19&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;May 18, 2026&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Just EOL&lt;/td&gt;
&lt;td&gt;55&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Angular 20&lt;/td&gt;
&lt;td&gt;Nov 27, 2026&lt;/td&gt;
&lt;td&gt;Supported&lt;/td&gt;
&lt;td&gt;38&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Angular 21 (latest)&lt;/td&gt;
&lt;td&gt;May 18, 2027&lt;/td&gt;
&lt;td&gt;Supported&lt;/td&gt;
&lt;td&gt;30&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  The 18-month support policy
&lt;/h2&gt;

&lt;p&gt;Each major version gets about 18 months of support, split in two: &lt;strong&gt;6 months of active support&lt;/strong&gt; (regular updates and bug fixes) then &lt;strong&gt;12 months of LTS&lt;/strong&gt; (critical and security fixes only). After that, the version is EOL.&lt;/p&gt;

&lt;p&gt;A new major ships roughly every six months. Do the arithmetic: with a release twice a year and an 18-month window, there are only ever about &lt;strong&gt;three supported majors at once&lt;/strong&gt; — and one drops off every six months. Skip two cycles and you're already on borrowed time.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;This is why Angular apps fall behind faster than any other framework.&lt;/strong&gt; A team that ships on the current Angular and then focuses on features for a year finds itself two versions back and approaching EOL without changing a line of framework code. Angular demands a &lt;em&gt;standing&lt;/em&gt; upgrade habit, not a one-time migration.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Angular 20 &amp;amp; 21 — the supported versions
&lt;/h2&gt;

&lt;p&gt;Angular 21 is the current release and the right target for any upgrade today — longest runway (to May 2027) and the lowest Risk Score in the line. Angular 20 is supported through November 2026 and is a reasonable interim stop.&lt;/p&gt;

&lt;p&gt;Modern Angular has reduced upgrade pain: standalone components removed NgModule boilerplate, the new control-flow syntax and signals modernised templates and reactivity, and &lt;code&gt;ng update&lt;/code&gt; automates most of the mechanical migration between adjacent majors. &lt;strong&gt;The rule: there's no "settle here for years" version. Pick the latest, and budget a recurring upgrade every 6–12 months.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  How to stay current with ng update
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Find your version and the gap.&lt;/strong&gt; Run &lt;code&gt;ng version&lt;/code&gt;, cross-reference the table, see how many majors behind you are.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Upgrade one major at a time.&lt;/strong&gt; Use the &lt;a href="https://angular.dev/update-guide" rel="noopener noreferrer"&gt;Angular Update Guide&lt;/a&gt; and run &lt;code&gt;ng update @angular/core@N @angular/cli@N&lt;/code&gt; for each successive major — don't skip, the schematics run between adjacent versions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Let the schematics do the refactors.&lt;/strong&gt; &lt;code&gt;ng update&lt;/code&gt; runs code migrations automatically — review each diff rather than rubber-stamping.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Update the ecosystem in lockstep.&lt;/strong&gt; Angular Material, NgRx, and third-party libraries track Angular's majors — a lagging library is the most common blocker.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Make it a standing schedule, not a project.&lt;/strong&gt; Put the next two EOL dates in your roadmap and upgrade before each one.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Stranded several majors back?
&lt;/h2&gt;

&lt;p&gt;Plenty of production apps are stuck on Angular 12–16 because an upgrade was deferred until the gap became daunting. Those apps run EOL framework code (Risk Scores 60–70). &lt;strong&gt;Extended support&lt;/strong&gt; maintains security-patched builds of older Angular majors so a stranded app stays protected while you plan a staged path back.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Full guide, live Angular Risk Scores, and the rest of the framework lifecycle data at &lt;a href="https://endoflife.ai/article-angular-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;. Check your whole stack free with the &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>angular</category>
      <category>javascript</category>
      <category>typescript</category>
      <category>webdev</category>
    </item>
    <item>
      <title>Vue 2 End of Life: EOL Date, Risk, and Migration to Vue 3</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Fri, 26 Jun 2026 17:34:30 +0000</pubDate>
      <link>https://dev.to/endoflifeai/vue-2-end-of-life-eol-date-risk-and-migration-to-vue-3-1bp8</link>
      <guid>https://dev.to/endoflifeai/vue-2-end-of-life-eol-date-risk-and-migration-to-vue-3-1bp8</guid>
      <description>&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://endoflife.ai/article-vue2-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Vue 2 reached &lt;strong&gt;end of life on December 31, 2023&lt;/strong&gt;. Since then, the Vue core team has issued no further updates — no bug fixes, and critically, &lt;strong&gt;no security patches&lt;/strong&gt;. The final Vue 2 release, &lt;strong&gt;Vue 2.7 ("Naruto")&lt;/strong&gt;, is the last version that will ever ship. If you're still running Vue 2 in production — and many teams are — every vulnerability discovered from 2024 onward stays open unless you patch it yourself or buy extended support.&lt;/p&gt;

&lt;h2&gt;
  
  
  Vue version EOL schedule
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;End of Life&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Risk Score&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Vue 2.6&lt;/td&gt;
&lt;td&gt;Jun 30, 2022&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;70&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Vue 2.7 (final Vue 2)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Dec 31, 2023&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;70&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Vue 3.3&lt;/td&gt;
&lt;td&gt;Dec 28, 2023&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;70&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Vue 3.4&lt;/td&gt;
&lt;td&gt;Sep 2, 2024&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;65&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Vue 3.5 (current)&lt;/td&gt;
&lt;td&gt;Active&lt;/td&gt;
&lt;td&gt;Supported&lt;/td&gt;
&lt;td&gt;30&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;All of Vue 2 is past end of life.&lt;/strong&gt; Vue 2.7 — the final and most-deployed Vue 2 release — stopped receiving security patches on December 31, 2023. If you're on any Vue 2 release, you're running unsupported, unpatched front-end code that ships to every one of your users' browsers.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Why Vue 2 EOL is a real security problem
&lt;/h2&gt;

&lt;p&gt;It's tempting to treat a front-end framework as lower-risk than a database or OS — it runs in the browser, not your servers. That's wrong in two ways:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Client-side code is directly attacker-facing.&lt;/strong&gt; Vue renders untrusted data into the DOM. Framework-level vulnerabilities — XSS through template compilation, prototype pollution in reactivity — execute in your users' sessions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The dependency tree ages with it.&lt;/strong&gt; Vue 2 pins you to Vue CLI, vue-router 3, Vuex 3, and a generation of component libraries that are themselves EOL and often won't run on current Node.js.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Vue 2.7 — the final release
&lt;/h2&gt;

&lt;p&gt;Vue 2.7 was a deliberate bridge release. It backported the Composition API, &lt;code&gt;&amp;lt;script setup&amp;gt;&lt;/code&gt;, and improved TypeScript support into the Vue 2 runtime, so teams could start writing Vue-3-style code &lt;em&gt;before&lt;/em&gt; migrating. That makes 2.7 the best launchpad for a Vue 3 move — but it's still end-of-life. The security clock ran out December 31, 2023 regardless of API style.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;On an older Vue 2 minor (2.6 or earlier)?&lt;/strong&gt; Upgrade to 2.7 first — smallest possible step, still within Vue 2, and it sets up the Vue 3 migration with far less rework.&lt;/p&gt;

&lt;h2&gt;
  
  
  Migrating from Vue 2 to Vue 3
&lt;/h2&gt;

&lt;p&gt;Vue 3 is a ground-up rewrite, not a drop-in upgrade. Reactivity moved from &lt;code&gt;Object.defineProperty&lt;/code&gt; to ES &lt;code&gt;Proxy&lt;/code&gt;, the global API changed (&lt;code&gt;new Vue()&lt;/code&gt; → &lt;code&gt;createApp()&lt;/code&gt;), and several patterns were removed. The official &lt;strong&gt;migration build&lt;/strong&gt; (&lt;code&gt;@vue/compat&lt;/code&gt;) runs Vue 3 in Vue-2-compatible mode and flags each incompatibility.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Get to Vue 2.7 and latest dependencies first.&lt;/strong&gt; Update vue-router, Vuex, and component libraries; adopt the Composition API where practical — that code transfers to Vue 3 almost unchanged.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Switch to &lt;code&gt;@vue/compat&lt;/code&gt;.&lt;/strong&gt; It boots your app in compatibility mode and emits a console warning for every deprecated pattern — your migration to-do list, generated from your real code.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Clear the warnings, one category at a time.&lt;/strong&gt; Global API (&lt;code&gt;createApp&lt;/code&gt;), filters (removed), &lt;code&gt;v-model&lt;/code&gt; changes, event-bus removal (&lt;code&gt;$on&lt;/code&gt;/&lt;code&gt;$off&lt;/code&gt; are gone), functional-component syntax.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Upgrade the ecosystem.&lt;/strong&gt; vue-router 4, Pinia (successor to Vuex), Vue-3-compatible component libraries. Third-party libraries are usually the biggest blocker.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Drop compat mode and ship on native Vue 3.&lt;/strong&gt; Pin to the latest Vue 3 minor and keep current — only the newest minor gets fixes.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Can't migrate yet?
&lt;/h2&gt;

&lt;p&gt;For a large Vue 2 app, migration is a real project — often gated on third-party libraries you don't control. That's a legitimate reason it hasn't happened, but not a reason to ship unpatched XSS. &lt;strong&gt;Extended (post-EOL) support&lt;/strong&gt; maintains security-patched forks of Vue 2 and its ecosystem so you stay protected while migrating on a realistic timeline.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Full guide, live Vue Risk Scores, and the rest of the framework lifecycle data at &lt;a href="https://endoflife.ai/article-vue2-eol" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;. Check your whole front-end with the free &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>vue</category>
      <category>javascript</category>
      <category>webdev</category>
      <category>security</category>
    </item>
    <item>
      <title>The State of End-of-Life Software 2026: 32 of 459 Technologies Have Active CVEs</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Fri, 26 Jun 2026 17:32:59 +0000</pubDate>
      <link>https://dev.to/endoflifeai/the-state-of-end-of-life-software-2026-32-of-459-technologies-have-active-cves-3h7f</link>
      <guid>https://dev.to/endoflifeai/the-state-of-end-of-life-software-2026-32-of-459-technologies-have-active-cves-3h7f</guid>
      <description>&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://endoflife.ai/article-state-of-eol-2026" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Every day, &lt;a href="https://endoflife.ai" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt; rebuilds a risk picture of the software the world actually runs — &lt;strong&gt;459 technologies&lt;/strong&gt;, every tracked release scored 0–100 for how dangerous it is to keep running past its support date. This is the June 2026 snapshot of that data: which technologies are most exposed, where end-of-life software intersects with vulnerabilities attackers are &lt;em&gt;already exploiting&lt;/em&gt;, and the calendar of major releases going dark this year.&lt;/p&gt;

&lt;p&gt;The headline finding isn't that old software exists — it always has. It's &lt;strong&gt;where&lt;/strong&gt; the risk concentrates: the most exposed end-of-life technologies aren't obscure libraries, they're the infrastructure everything else is built on.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Metric&lt;/th&gt;
&lt;th&gt;Value&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Technologies tracked &amp;amp; scored daily&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;459&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tied to actively-exploited vulnerabilities (CISA KEV)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;32&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;In the Critical risk band (80–100)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;30&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;With a release reaching EOL during 2026&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;190&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  How we measure it — the EOL Risk Score
&lt;/h2&gt;

&lt;p&gt;Every number comes from a 0–100 score computed from four weighted factors:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;EOL Recency (0–40)&lt;/strong&gt; — how long a release has been past end of life.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attack Surface (0–30)&lt;/strong&gt; — how widely deployed and exposed the technology is.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CISA KEV Exposure (0–20)&lt;/strong&gt; — whether it appears in CISA's Known Exploited Vulnerabilities catalog (confirmed active attack).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Extended Support (0–10)&lt;/strong&gt; — whether a vendor or third party still offers paid patches.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Each technology's headline score reflects its &lt;strong&gt;most recently end-of-lifed release&lt;/strong&gt; — the version a typical lagging deployment is most likely still running. Across all 459, the mean score is &lt;strong&gt;52/100&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  The dangerous intersection: EOL meets active exploitation
&lt;/h2&gt;

&lt;p&gt;End-of-life software is a theoretical risk until it meets a real exploit. That's what makes the CISA KEV factor the most important signal — it separates "old but quiet" from "old &lt;em&gt;and&lt;/em&gt; being attacked right now."&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;32 of 459 technologies (7%) are tied to actively-exploited vulnerabilities.&lt;/strong&gt; And they're not edge cases — it's a roll-call of core infrastructure: Windows, Windows Server, Linux Kernel, RHEL, Debian, Ubuntu, CentOS, Python, Node.js, PHP, PostgreSQL, MySQL, MariaDB, MongoDB, Redis, Elasticsearch, OpenSSL, nginx, Apache Tomcat, Kubernetes, Docker Engine, Jenkins, GitLab, WordPress, Drupal, Joomla, SharePoint, Spring Framework, Spring Boot, Android, iOS, and macOS.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;29 of the 30 highest-scoring technologies carry KEV exposure.&lt;/strong&gt; An unsupported obscure CMS plugin is a contained problem. An unsupported OpenSSL, Linux kernel, or Kubernetes is a systemic one.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 30 most critical technologies
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Technology&lt;/th&gt;
&lt;th&gt;Latest retired release&lt;/th&gt;
&lt;th&gt;Active exploits&lt;/th&gt;
&lt;th&gt;Risk Score&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Docker Engine&lt;/td&gt;
&lt;td&gt;May 19, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;95&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Windows Server&lt;/td&gt;
&lt;td&gt;Oct 24, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Windows&lt;/td&gt;
&lt;td&gt;Nov 11, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Apache Tomcat&lt;/td&gt;
&lt;td&gt;Mar 31, 2024&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Python&lt;/td&gt;
&lt;td&gt;Oct 31, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;PostgreSQL&lt;/td&gt;
&lt;td&gt;Nov 13, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MongoDB&lt;/td&gt;
&lt;td&gt;Sep 30, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;macOS&lt;/td&gt;
&lt;td&gt;Feb 2, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Kubernetes&lt;/td&gt;
&lt;td&gt;Feb 28, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;iOS&lt;/td&gt;
&lt;td&gt;Jan 26, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Elasticsearch&lt;/td&gt;
&lt;td&gt;Jan 15, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Android&lt;/td&gt;
&lt;td&gt;Mar 2, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;RHEL&lt;/td&gt;
&lt;td&gt;Jun 30, 2024&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Redis&lt;/td&gt;
&lt;td&gt;May 25, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;OpenSSL&lt;/td&gt;
&lt;td&gt;Apr 9, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Node.js&lt;/td&gt;
&lt;td&gt;Apr 30, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MySQL&lt;/td&gt;
&lt;td&gt;Apr 30, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MariaDB&lt;/td&gt;
&lt;td&gt;May 13, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Linux Kernel&lt;/td&gt;
&lt;td&gt;Apr 22, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Debian&lt;/td&gt;
&lt;td&gt;Aug 14, 2024&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CentOS&lt;/td&gt;
&lt;td&gt;Jun 30, 2024&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ubuntu&lt;/td&gt;
&lt;td&gt;Jan 17, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Spring Framework&lt;/td&gt;
&lt;td&gt;Jun 30, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Spring Boot&lt;/td&gt;
&lt;td&gt;Dec 31, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SharePoint&lt;/td&gt;
&lt;td&gt;Apr 11, 2023&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;PHP&lt;/td&gt;
&lt;td&gt;Dec 31, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Joomla&lt;/td&gt;
&lt;td&gt;Oct 14, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Jenkins&lt;/td&gt;
&lt;td&gt;Jan 21, 2026&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Drupal&lt;/td&gt;
&lt;td&gt;Dec 10, 2025&lt;/td&gt;
&lt;td&gt;In KEV&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Amazon Linux&lt;/td&gt;
&lt;td&gt;Dec 31, 2023&lt;/td&gt;
&lt;td&gt;—&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Docker Engine tops the list at 95/100&lt;/strong&gt; — a long-retired release, an enormous attack surface, and confirmed active exploitation.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 2026 end-of-life calendar
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;190 technologies have a release reaching EOL in calendar 2026&lt;/strong&gt; — and 16 of those score 75+. The high-risk roster:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;2026 EOL date&lt;/th&gt;
&lt;th&gt;Technology&lt;/th&gt;
&lt;th&gt;Risk Score&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Jan 15&lt;/td&gt;
&lt;td&gt;Elasticsearch&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Jan 17&lt;/td&gt;
&lt;td&gt;Ubuntu&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Jan 21&lt;/td&gt;
&lt;td&gt;Jenkins&lt;/td&gt;
&lt;td&gt;80&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Jan 26&lt;/td&gt;
&lt;td&gt;iOS&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Feb 2&lt;/td&gt;
&lt;td&gt;macOS&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Feb 28&lt;/td&gt;
&lt;td&gt;Kubernetes&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Mar 2&lt;/td&gt;
&lt;td&gt;Android&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Apr 9&lt;/td&gt;
&lt;td&gt;OpenSSL&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Apr 22&lt;/td&gt;
&lt;td&gt;Linux Kernel&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Apr 30&lt;/td&gt;
&lt;td&gt;MySQL&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Apr 30&lt;/td&gt;
&lt;td&gt;Node.js&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;May 13&lt;/td&gt;
&lt;td&gt;MariaDB&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;May 13&lt;/td&gt;
&lt;td&gt;nginx&lt;/td&gt;
&lt;td&gt;75&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;May 20&lt;/td&gt;
&lt;td&gt;WordPress&lt;/td&gt;
&lt;td&gt;75&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;May 21&lt;/td&gt;
&lt;td&gt;GitLab&lt;/td&gt;
&lt;td&gt;75&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;May 25&lt;/td&gt;
&lt;td&gt;Redis&lt;/td&gt;
&lt;td&gt;85&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The first half of 2026 alone retired high-risk releases across the database tier (MySQL, MariaDB, Redis, Elasticsearch), the runtime tier (Node.js, OpenSSL), orchestration (Kubernetes), and OS (Ubuntu, Linux, iOS, macOS, Android).&lt;/p&gt;

&lt;h2&gt;
  
  
  What it means for your stack
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;The risk is concentrated, not diffuse.&lt;/strong&gt; You don't need to audit 459 technologies — just which of the 30 critical ones (and 32 with active exploits) are in your environment, and which version.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EOL is predictable; breaches from it aren't.&lt;/strong&gt; Every date above was published years ahead. Put each EOL date in your roadmap the day you deploy.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;"Newer" isn't always "safer."&lt;/strong&gt; Some technologies ship short-lived releases that EOL within months — a higher version number can be &lt;em&gt;less&lt;/em&gt; supported.&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;Full interactive tables, live scores, and every technology's page are at &lt;a href="https://endoflife.ai/article-state-of-eol-2026" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;. The same data is free via the &lt;a href="https://endoflife.ai/api" rel="noopener noreferrer"&gt;API&lt;/a&gt; and the &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt;. Data rebuilt daily from the &lt;a href="https://endoflife.date" rel="noopener noreferrer"&gt;endoflife.date&lt;/a&gt; open dataset plus CISA KEV.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>devops</category>
      <category>programming</category>
      <category>webdev</category>
    </item>
    <item>
      <title>MySQL 8.0 is now end-of-life — here's the version map you actually need</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Thu, 18 Jun 2026 19:30:52 +0000</pubDate>
      <link>https://dev.to/endoflifeai/mysql-80-is-now-end-of-life-heres-the-version-map-you-actually-need-43p8</link>
      <guid>https://dev.to/endoflifeai/mysql-80-is-now-end-of-life-heres-the-version-map-you-actually-need-43p8</guid>
      <description>&lt;p&gt;&lt;strong&gt;MySQL 8.0 reached end of life on April 30, 2026.&lt;/strong&gt; That's the one that matters: 8.0 has been the default MySQL since 2018, so a huge share of production databases just stopped getting security patches from Oracle. If &lt;code&gt;mysql:8.0&lt;/code&gt; is anywhere in your stack, you're now running unsupported software.&lt;/p&gt;

&lt;p&gt;Here's the version map, with EOL Risk Scores (0–100) from &lt;a href="https://endoflife.ai/mysql" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;Type&lt;/th&gt;
&lt;th&gt;EOL&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Risk&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;MySQL 5.5&lt;/td&gt;
&lt;td&gt;Legacy&lt;/td&gt;
&lt;td&gt;Dec 31, 2018&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MySQL 5.6&lt;/td&gt;
&lt;td&gt;Legacy&lt;/td&gt;
&lt;td&gt;Feb 28, 2021&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MySQL 5.7&lt;/td&gt;
&lt;td&gt;Legacy&lt;/td&gt;
&lt;td&gt;Oct 31, 2023&lt;/td&gt;
&lt;td&gt;EOL&lt;/td&gt;
&lt;td&gt;90&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;MySQL 8.0&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Series&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Apr 30, 2026&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;EOL&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;75&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MySQL 8.4&lt;/td&gt;
&lt;td&gt;LTS&lt;/td&gt;
&lt;td&gt;Apr 30, 2032&lt;/td&gt;
&lt;td&gt;Current LTS&lt;/td&gt;
&lt;td&gt;50&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  The Innovation-vs-LTS trap
&lt;/h2&gt;

&lt;p&gt;This is the part that catches people. In 2023 Oracle split MySQL into two release tracks, and &lt;strong&gt;the version number no longer tells you how long a release is supported.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;LTS releases&lt;/strong&gt; (currently &lt;strong&gt;8.4&lt;/strong&gt;) get ~8 years of support. This is what you run in production.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Innovation releases&lt;/strong&gt; (8.1, 8.2, 8.3, and the entire &lt;strong&gt;9.x&lt;/strong&gt; series) ship quarterly and are supported &lt;strong&gt;only until the next release lands&lt;/strong&gt; — roughly three months each.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;So MySQL 9.2 &lt;em&gt;looks&lt;/em&gt; newer than 8.4, but 8.4 is supported into 2032 while 9.2 went EOL within months. MySQL 9.0 reached EOL back in October 2024. If you adopted a 9.x release and aren't upgrading every single quarter, you're already on an EOL build with a Critical-tier risk profile.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Rule of thumb:&lt;/strong&gt; unless quarterly upgrades are genuinely part of your ops model, stay on the LTS (8.4) and let the new features arrive in the next LTS.&lt;/p&gt;

&lt;h2&gt;
  
  
  What to do
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;On 8.0?&lt;/strong&gt; Upgrade to &lt;strong&gt;8.4 LTS&lt;/strong&gt; — it's the supported, in-place path Oracle designed for exactly this transition.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;On 5.7?&lt;/strong&gt; Bigger jump. Plan straight to 8.4, using 8.0 as a compatibility checkpoint, not a destination. Watch the &lt;code&gt;caching_sha2_password&lt;/code&gt; default, SQL mode changes, and the data dictionary migration.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Run the check first:&lt;/strong&gt; &lt;code&gt;mysqlsh&lt;/code&gt; → &lt;code&gt;util.checkForServerUpgrade()&lt;/code&gt; against a staging copy surfaces deprecated syntax, removed features, and collation changes before you commit.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Managed MySQL&lt;/strong&gt; (RDS, Aurora, Azure, Cloud SQL) tracks these dates differently — some extend past Oracle's community EOL, some don't. Confirm your provider's specific dates.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Check your whole stack, not just MySQL
&lt;/h2&gt;

&lt;p&gt;MySQL is one clock. Your OS, runtime, and other dependencies each have their own. You can score your full dependency file at once with the free &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt; (no signup), or read the complete version-by-version breakdown here:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Full guide:&lt;/strong&gt; &lt;a href="https://endoflife.ai/article-mysql-eol" rel="noopener noreferrer"&gt;MySQL End-of-Life Dates — every version&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Dates and risk scores sourced from the open &lt;a href="https://endoflife.date" rel="noopener noreferrer"&gt;endoflife.date&lt;/a&gt; dataset; risk scoring and CISA KEV cross-reference by endoflife.ai.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>mysql</category>
      <category>database</category>
      <category>devops</category>
      <category>security</category>
    </item>
    <item>
      <title>Every Software EOL Date That Matters in 2026 — One Reference</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Mon, 15 Jun 2026 09:22:55 +0000</pubDate>
      <link>https://dev.to/endoflifeai/every-software-eol-date-that-matters-in-2026-one-reference-n8d</link>
      <guid>https://dev.to/endoflifeai/every-software-eol-date-that-matters-in-2026-one-reference-n8d</guid>
      <description>&lt;p&gt;We maintain a &lt;a href="https://endoflife.ai/article-eol-dates-2026" rel="noopener noreferrer"&gt;full reference of 124 versions across 44 products&lt;/a&gt; — here are the dates that actually deserve a calendar reminder in 2026.&lt;/p&gt;

&lt;h2&gt;
  
  
  Just happened
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Debian 12 "Bookworm" reached end of life on June 10, 2026.&lt;/strong&gt; Regular security support has ended; the volunteer LTS team now covers only ~230 packages. If &lt;code&gt;debian:12&lt;/code&gt; is in your Dockerfiles, every image you build from here on has an EOL base layer. &lt;a href="https://endoflife.ai/article-debian-12-eol-june-2026" rel="noopener noreferrer"&gt;Action guide here&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  The big dates still ahead in 2026
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;th&gt;What dies&lt;/th&gt;
&lt;th&gt;Why it hurts&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Sep 18, 2026&lt;/td&gt;
&lt;td&gt;Oracle JDK 26&lt;/td&gt;
&lt;td&gt;Short-lived non-LTS — teams that jumped early get caught&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sep 30, 2026&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;Java 17 LTS&lt;/strong&gt; (Premier)&lt;/td&gt;
&lt;td&gt;Still one of the most-deployed JDKs in production&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Oct 31, 2026&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Python 3.10&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;One of the most-used Python versions; 3.11 follows Oct 2027&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Nov 9, 2026&lt;/td&gt;
&lt;td&gt;Windows 11 23H2 (Enterprise)&lt;/td&gt;
&lt;td&gt;The next Windows migration wave after the Win10 cliff&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Dec 31, 2026&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;PHP 8.2&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;With 8.1 already EOL, only 8.3+ survives into 2027&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Already EOL — and still everywhere
&lt;/h2&gt;

&lt;p&gt;These are past their dates and still show up constantly in production scans:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Node.js 18 and 20&lt;/strong&gt; — both EOL (Apr 2025 / Apr 2026). Node 22 LTS is the floor now.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Spring Boot 2.7&lt;/strong&gt; — EOL since 2023, still the most common Spring version in legacy estates.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;PHP 8.1&lt;/strong&gt; — EOL Dec 2025.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Veeam 11 &amp;amp; 12.0&lt;/strong&gt; — backup infrastructure running unpatched is its own special category of bad.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CentOS 7/8&lt;/strong&gt; — fully discontinued; no vendor to buy support from (third-party extended support is the only patch path).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Ubuntu 20.04&lt;/strong&gt; — out of standard support; Ubuntu Pro or migration.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The pattern worth internalizing
&lt;/h2&gt;

&lt;p&gt;EOL events cluster. June 2026 alone had Debian 12, Debian 11 LTS (June 30), and Kubernetes versions aging out in the same window. If your stack touches five ecosystems, you have five independent clocks — and none of them email you.&lt;/p&gt;

&lt;p&gt;The full sortable reference (124 versions, updated at every deploy, with risk scores and add-to-calendar reminders per product): &lt;strong&gt;&lt;a href="https://endoflife.ai/article-eol-dates-2026" rel="noopener noreferrer"&gt;endoflife.ai/article-eol-dates-2026&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Or check your whole dependency file at once with the &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt; — free, no signup.&lt;/p&gt;

</description>
      <category>security</category>
      <category>devops</category>
      <category>linux</category>
      <category>programming</category>
    </item>
    <item>
      <title>EOL, EOS, LTS, CVE — Every Software Lifecycle Term, Explained Like You're New Here</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Thu, 11 Jun 2026 22:02:14 +0000</pubDate>
      <link>https://dev.to/endoflifeai/eol-eos-lts-cve-every-software-lifecycle-term-explained-like-youre-new-here-29fo</link>
      <guid>https://dev.to/endoflifeai/eol-eos-lts-cve-every-software-lifecycle-term-explained-like-youre-new-here-29fo</guid>
      <description>&lt;p&gt;&lt;strong&gt;The short version:&lt;/strong&gt; every piece of software has a date after which its maker stops fixing it — including security holes. That date is its &lt;strong&gt;end of life (EOL)&lt;/strong&gt;. The software keeps running after EOL; it just stops being defended. Any flaw found after that date stays open forever, on every system still running it.&lt;/p&gt;

&lt;p&gt;This guide assumes zero prior knowledge. By the end you'll be able to read any vendor lifecycle page without a translator.&lt;/p&gt;

&lt;h2&gt;
  
  
  The life of a piece of software
&lt;/h2&gt;

&lt;p&gt;Every version moves through the same phases, whatever the vendor calls them:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Phase&lt;/th&gt;
&lt;th&gt;What it means&lt;/th&gt;
&lt;th&gt;What you get&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Release (GA)&lt;/td&gt;
&lt;td&gt;Declared production-ready&lt;/td&gt;
&lt;td&gt;Features, bug fixes, security patches&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Active support&lt;/td&gt;
&lt;td&gt;The healthy middle of life&lt;/td&gt;
&lt;td&gt;Fixes and patches&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Maintenance / security-only&lt;/td&gt;
&lt;td&gt;The wind-down&lt;/td&gt;
&lt;td&gt;Security patches only&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;End of life (EOL)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;The maker walks away&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Nothing, ever again&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Extended support&lt;/td&gt;
&lt;td&gt;Paid overtime&lt;/td&gt;
&lt;td&gt;Security patches past EOL, for a price&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The crucial point: &lt;strong&gt;software doesn't stop working at EOL.&lt;/strong&gt; Nothing visibly breaks, so nothing prompts action — while security holes quietly accumulate. That's exactly what makes it dangerous.&lt;/p&gt;

&lt;h2&gt;
  
  
  The acronym decoder
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;EOL&lt;/strong&gt; (End of Life) — the maker stops all fixes. The big one.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EOS&lt;/strong&gt; — usually a synonym for EOL; occasionally "end of &lt;em&gt;sale&lt;/em&gt;." Check which a vendor means.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EOSL&lt;/strong&gt; (End of Service Life) — the hardware version: switches, servers, storage.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;GA&lt;/strong&gt; (General Availability) — the official release date. The lifecycle clock starts here.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;LTS&lt;/strong&gt; (Long-Term Support) — a version promised support for years. What you run in production.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;STS&lt;/strong&gt; — short-term support, for early adopters. Oracle calls these "Innovation Releases."&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ELS / ESU / ELTS&lt;/strong&gt; — vendor names for paid post-EOL support (Red Hat / Microsoft / Debian respectively). Same idea, different logos.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE&lt;/strong&gt; (Common Vulnerabilities and Exposures) — the global ID system for security flaws (CVE-2026-12345).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVSS&lt;/strong&gt; — the 0–10 severity score on each CVE. 9+ is critical.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;NVD&lt;/strong&gt; — the US government's public catalog of all CVEs. Attackers read it too.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;KEV&lt;/strong&gt; (Known Exploited Vulnerabilities) — CISA's list of CVEs &lt;em&gt;actively used in real attacks&lt;/em&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SBOM&lt;/strong&gt; (Software Bill of Materials) — the ingredient list of your software. What makes EOL auditing possible at scale.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SCA&lt;/strong&gt; (Software Composition Analysis) — dependency scanners. Useful, but most don't flag EOL status.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What's actually in a "stack"?
&lt;/h2&gt;

&lt;p&gt;Each layer has its own EOL clock. Bottom-up:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Operating system / distribution&lt;/strong&gt; — Windows, macOS, or a Linux distro (Ubuntu, Debian, RHEL): the kernel plus thousands of tools, versioned and supported as one product. When Debian 12 hits EOL, the whole bundle stops getting coordinated fixes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Runtime&lt;/strong&gt; — the engine that executes your code. JavaScript needs Node.js; Python code needs the Python interpreter; Java needs the JDK. You don't write a runtime — you write code that runs &lt;em&gt;on&lt;/em&gt; one. High-stakes EOL items, because runtimes process untrusted input.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Framework&lt;/strong&gt; — a pre-built application skeleton: Django, Rails, Spring Boot, Laravel. A framework rides on a runtime — a Django app needs both Django &lt;em&gt;and&lt;/em&gt; Python in support. Two clocks; either expiring exposes you.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Library / dependency&lt;/strong&gt; — smaller building blocks pulled in by a package manager (npm, pip, Composer). Modern apps use hundreds. Each can be abandoned by its maintainer — EOL without a press release. (The classic distinction: &lt;em&gt;your code calls a library; a framework calls your code.&lt;/em&gt;)&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Database&lt;/strong&gt; — PostgreSQL, MySQL, MongoDB. Holds the crown jewels; EOLs on long cycles, which lulls teams into forgetting it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Containers &amp;amp; base images&lt;/strong&gt; — &lt;code&gt;FROM debian:12&lt;/code&gt; bakes Debian 12's EOL clock into every container you build, even brand-new deployments.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Firmware/hardware&lt;/strong&gt; — the layer organizations track least. See EOSL above.&lt;/p&gt;

&lt;h2&gt;
  
  
  How version numbers work
&lt;/h2&gt;

&lt;p&gt;Most software uses &lt;code&gt;major.minor.patch&lt;/code&gt; (Python 3.11.9). &lt;strong&gt;EOL almost always applies to the major.minor line&lt;/strong&gt; — "Python 3.11 is EOL" means every 3.11.x, and no 3.11.10 will ever ship. Patch upgrades are routine hygiene; crossing minor/major lines is a migration. That's why teams pin versions — and why pinned versions quietly age into EOL.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this matters: the CVE blind spot
&lt;/h2&gt;

&lt;p&gt;A &lt;strong&gt;zero-day&lt;/strong&gt; is a flaw nobody knows about — scary but rare, and it gets patched once found. &lt;strong&gt;EOL software inverts this:&lt;/strong&gt; the flaw is public — documented on the NVD, scored, often with exploit code on GitHub — but no patch will ever exist. Attackers don't need to discover anything; they read the CVE feed and check who's still running the EOL version.&lt;/p&gt;

&lt;p&gt;Worse: most scanners give EOL software a clean bill of health, because they check for known unpatched CVEs — not for the fact that the patch pipeline itself is dead.&lt;/p&gt;

&lt;h2&gt;
  
  
  If you can't upgrade in time
&lt;/h2&gt;

&lt;p&gt;Extended support keeps patches flowing past EOL. It comes from the maker (Red Hat ELS, Ubuntu Pro, Microsoft ESU) or from third parties such as TuxCare, which patch software the maker has abandoned entirely — CentOS being the canonical case, fully discontinued with no vendor program at all. Either way: it's a bridge to a planned migration, not a destination.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where to start
&lt;/h2&gt;

&lt;p&gt;Every layer of your stack has an expiry date, nothing announces itself when it passes, and the fix is knowing the dates before they arrive. Look up any of 455+ products free at &lt;a href="https://endoflife.ai" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt; — or scan a whole dependency file at once with the &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt;. No signup.&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>security</category>
      <category>devops</category>
      <category>programming</category>
    </item>
    <item>
      <title>Oracle Database End-of-Life Dates — Premier &amp; Extended Support for Every Version</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Tue, 09 Jun 2026 16:47:56 +0000</pubDate>
      <link>https://dev.to/endoflifeai/oracle-database-end-of-life-dates-premier-extended-support-for-every-version-59la</link>
      <guid>https://dev.to/endoflifeai/oracle-database-end-of-life-dates-premier-extended-support-for-every-version-59la</guid>
      <description>&lt;p&gt;If you've ever tried to answer the simple question &lt;em&gt;"when does my Oracle Database version go end of life?"&lt;/em&gt; you've probably discovered there's no single date. Oracle doesn't do "EOL" the way Linux distros or runtimes do. Instead, every release moves through three support phases — and one of them sounds supportive but quietly leaves you with &lt;strong&gt;zero new security patches&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Here's the whole picture in plain language.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;The short version:&lt;/strong&gt; Oracle 19c is the safe long-term release (Premier Support to Dec 31, 2029, Extended to Dec 31, 2032). 23ai (now branded 26ai) is the newest long-term release. Oracle 18c, 12c, and 11g are all past support and receive only Sustaining Support — which means no new CVE patches.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  The Oracle Lifetime Support table
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Release&lt;/th&gt;
&lt;th&gt;GA Release&lt;/th&gt;
&lt;th&gt;Premier Support Ends&lt;/th&gt;
&lt;th&gt;Extended Support Ends&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;23ai / 26ai&lt;/strong&gt; (LTR)&lt;/td&gt;
&lt;td&gt;2023–2024&lt;/td&gt;
&lt;td&gt;Dec 31, 2031&lt;/td&gt;
&lt;td&gt;Available&lt;/td&gt;
&lt;td&gt;✅ Active&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;21c&lt;/strong&gt; (Innovation)&lt;/td&gt;
&lt;td&gt;Aug 13, 2021&lt;/td&gt;
&lt;td&gt;Jul 31, 2027&lt;/td&gt;
&lt;td&gt;None&lt;/td&gt;
&lt;td&gt;✅ Active&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;19c&lt;/strong&gt; (LTR)&lt;/td&gt;
&lt;td&gt;Apr 25, 2019&lt;/td&gt;
&lt;td&gt;Dec 31, 2029&lt;/td&gt;
&lt;td&gt;Dec 31, 2032&lt;/td&gt;
&lt;td&gt;✅ Active · Recommended&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;18c&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Jul 23, 2018&lt;/td&gt;
&lt;td&gt;Jun 30, 2021&lt;/td&gt;
&lt;td&gt;None&lt;/td&gt;
&lt;td&gt;❌ EOL&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;12c Release 2&lt;/strong&gt; (12.2)&lt;/td&gt;
&lt;td&gt;Mar 1, 2017&lt;/td&gt;
&lt;td&gt;Mar 31, 2022&lt;/td&gt;
&lt;td&gt;None&lt;/td&gt;
&lt;td&gt;❌ EOL&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;12c Release 1&lt;/strong&gt; (12.1)&lt;/td&gt;
&lt;td&gt;Jun 25, 2013&lt;/td&gt;
&lt;td&gt;Jul 31, 2018&lt;/td&gt;
&lt;td&gt;Jul 31, 2022&lt;/td&gt;
&lt;td&gt;❌ EOL&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;11g Release 2&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Sep 1, 2009&lt;/td&gt;
&lt;td&gt;Jan 31, 2015&lt;/td&gt;
&lt;td&gt;Dec 31, 2020&lt;/td&gt;
&lt;td&gt;❌ EOL&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  The three phases (and the one that fools people)
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Premier Support&lt;/strong&gt; — the first ~5 years for a Long-Term Release. Full coverage: bug fixes, security patches, Critical Patch Updates, new certifications. This is what you want to be on.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Extended Support&lt;/strong&gt; — an optional &lt;em&gt;paid&lt;/em&gt; add-on, available only for Long-Term Releases, that extends full coverage for up to 3 more years. Oracle has sometimes waived the first year's fee. Innovation Releases (like 21c) don't get this at all.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Sustaining Support&lt;/strong&gt; — offered &lt;em&gt;indefinitely&lt;/em&gt;, which is exactly why it's misleading. It includes &lt;strong&gt;no new security patches, no bug fixes, no error corrections, and no new certifications&lt;/strong&gt; — just access to patches that already existed and the knowledge base.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;⚠️ This is the trap: Oracle can say a release is "still supported" when it's actually on Sustaining Support — getting &lt;strong&gt;no new CVE fixes&lt;/strong&gt;. If you're past your Extended Support date, you are running unpatched. Your vulnerability scanner won't necessarily flag it, because the CVE affected-version ranges often don't list your ancient release. That's the &lt;strong&gt;CVE blind spot&lt;/strong&gt;.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Long-Term vs Innovation Releases
&lt;/h2&gt;

&lt;p&gt;Since 19c, Oracle splits releases into two tracks:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Long-Term Releases (LTR)&lt;/strong&gt; — e.g. 19c and 23ai. ~5 years Premier + up to 3 years Extended. &lt;strong&gt;Standardize production here.&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Innovation Releases&lt;/strong&gt; — e.g. 21c. ~2 years Premier, no Extended. Great for kicking the tires on new features, bad for systems you'll run for years.&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  What about 23ai... 23c... 26ai?
&lt;/h2&gt;

&lt;p&gt;Yes, the naming is a mess. It launched as &lt;strong&gt;23c&lt;/strong&gt;, was renamed &lt;strong&gt;23ai&lt;/strong&gt; to highlight its built-in AI features (like AI Vector Search), and the release line was later rebranded &lt;strong&gt;26ai&lt;/strong&gt; — while keeping &lt;code&gt;23&lt;/code&gt; as the internal version number. It's a Long-Term Release with Premier Support through December 31, 2031, and it's the target if you want the longest runway on a new deployment.&lt;/p&gt;




&lt;h2&gt;
  
  
  If you're on 11g, 12c, or 18c
&lt;/h2&gt;

&lt;p&gt;You've been running without new security fixes for &lt;strong&gt;years&lt;/strong&gt; (11g since 2020, 12c since 2022, 18c since 2021). Your options:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Upgrade to a Long-Term Release&lt;/strong&gt; — 19c (most proven) or 23ai (newest). Oracle's AutoUpgrade tool handles most paths.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Buy Extended Support&lt;/strong&gt; — only available for LTRs (e.g. 19c through 2032), as a paid bridge while you migrate.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Third-party / Market-Driven Support&lt;/strong&gt; — can patch versions Oracle no longer will, but it's a stopgap, not a destination.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Check your exact version with:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt; &lt;span class="n"&gt;BANNER_FULL&lt;/span&gt; &lt;span class="k"&gt;FROM&lt;/span&gt; &lt;span class="n"&gt;V&lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="k"&gt;VERSION&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;p&gt;If you're on &lt;strong&gt;19c&lt;/strong&gt;, you're fine until at least 2029. If you're on &lt;strong&gt;18c, 12c, or 11g&lt;/strong&gt;, you're effectively end of life and unpatched — plan a move to 19c or 23ai now.&lt;/p&gt;

&lt;p&gt;I keep a live, always-updated version of this — with every Oracle Database version, its support phase, and a 0–100 EOL Risk Score — here: &lt;strong&gt;&lt;a href="https://endoflife.ai/article-oracle-database-eol" rel="noopener noreferrer"&gt;Oracle Database EOL dates on endoflife.ai&lt;/a&gt;&lt;/strong&gt;. You can also check any other product (Node, Python, PHP, RHEL, Kubernetes, 450+ more) at &lt;a href="https://endoflife.ai" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>database</category>
      <category>oracle</category>
      <category>security</category>
      <category>devops</category>
    </item>
    <item>
      <title>Your EOL Dates Are Deadlines. Now They Live on Your Calendar.</title>
      <dc:creator>endoflife-ai</dc:creator>
      <pubDate>Sat, 06 Jun 2026 11:53:07 +0000</pubDate>
      <link>https://dev.to/endoflifeai/your-eol-dates-are-deadlines-now-they-live-on-your-calendar-2457</link>
      <guid>https://dev.to/endoflifeai/your-eol-dates-are-deadlines-now-they-live-on-your-calendar-2457</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;Originally published on &lt;a href="https://endoflife.ai/article-eol-calendar-alerts" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;An end-of-life date is a deadline. On one side of it, your software receives security patches. On the other side, it does not — permanently. Every vulnerability discovered after that date is disclosed publicly, assigned a CVE, and frequently weaponized, with no fix ever coming from the vendor. This is the &lt;a href="https://endoflife.ai/article-cve-blind-spot" rel="noopener noreferrer"&gt;CVE blind spot&lt;/a&gt;, and it's the single most &lt;em&gt;predictable&lt;/em&gt; security risk in any stack: you always know the exact day it begins.&lt;/p&gt;

&lt;p&gt;And yet EOL dates slip past almost everyone. They don't trigger a scanner alert. They don't open a ticket. They aren't on anyone's sprint board. They are, quite literally, calendar events that nobody put on the calendar.&lt;/p&gt;

&lt;p&gt;We just fixed that last part.&lt;/p&gt;

&lt;h2&gt;
  
  
  Add to Calendar, on every page
&lt;/h2&gt;

&lt;p&gt;Every &lt;a href="https://endoflife.ai/products" rel="noopener noreferrer"&gt;product page&lt;/a&gt; and version page on endoflife.ai that has a future end-of-life date now carries an &lt;strong&gt;Add to Calendar&lt;/strong&gt; button, right under the status banner. One click downloads a standard calendar file (&lt;code&gt;.ics&lt;/code&gt;) with the EOL date and three reminders already built in — &lt;strong&gt;90, 30, and 7 days before&lt;/strong&gt; the deadline. A second button drops the same event straight into Google Calendar.&lt;/p&gt;

&lt;p&gt;It works in Apple Calendar, Outlook, and Google Calendar. There's no account, no email signup, and nothing to install — the reminders fire from your own calendar, on your own schedule, and keep working whether or not you ever return to the site. Open &lt;a href="https://endoflife.ai/nodejs" rel="noopener noreferrer"&gt;Node.js&lt;/a&gt;, &lt;a href="https://endoflife.ai/php" rel="noopener noreferrer"&gt;PHP&lt;/a&gt;, &lt;a href="https://endoflife.ai/kubernetes" rel="noopener noreferrer"&gt;Kubernetes&lt;/a&gt;, or any of 455+ products, pick the version you run, and the date is on your calendar in seconds.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Why 90 / 30 / 7?&lt;/strong&gt;&lt;br&gt;
The three reminders map to how migrations actually happen. &lt;strong&gt;90 days out:&lt;/strong&gt; scope the work, pick the target version, get it into a sprint. &lt;strong&gt;30 days out:&lt;/strong&gt; the migration should be in progress and testing. &lt;strong&gt;7 days out:&lt;/strong&gt; final verification — and if you're not done, time to stand up compensating controls and document them. The lead time is the difference between a planned upgrade and an emergency.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Lead time is a security control
&lt;/h2&gt;

&lt;p&gt;The cost of an EOL migration is not fixed — it depends entirely on when you start. A move from Node.js 18 to a supported release, planned during a normal cycle, costs engineering time measured in days. The same move, started the week a critical CVE drops against the now-unpatchable version, costs that plus incident response, emergency change approvals, and the very real chance that an attacker got there first.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.cisa.gov/stopransomware/bad-practices" rel="noopener noreferrer"&gt;CISA puts it bluntly&lt;/a&gt;. Its catalog of cybersecurity Bad Practices lists the "use of unsupported (or end-of-life) software" as "dangerous and significantly elevates risk to national security, national economic security, and national public health and safety" — calling the practice "especially egregious in technologies accessible from the Internet." When the nation's cyber defense agency files something under &lt;em&gt;bad practices&lt;/em&gt;, alongside default passwords and single-factor admin access, that's not a nudge. That's a line.&lt;/p&gt;

&lt;p&gt;The exploitation timeline backs it up. Once a product is past EOL, any new vulnerability that lands in &lt;a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" rel="noopener noreferrer"&gt;CISA's Known Exploited Vulnerabilities (KEV) catalog&lt;/a&gt; has, for you, no patch path at all — your only remediation is replacing the software outright. The earlier you see the date coming, the cheaper that replacement is.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why auditors care about the date itself
&lt;/h2&gt;

&lt;p&gt;Here's what surprises most teams: several major frameworks don't just frown on running EOL software — they require you to &lt;em&gt;track lifecycle dates&lt;/em&gt; and hold a documented plan to act on them. The calendar reminder you just set is, in audit terms, evidence.&lt;/p&gt;

&lt;h3&gt;
  
  
  PCI DSS 4.0.1 — Requirement 12.3.4
&lt;/h3&gt;

&lt;p&gt;The Payment Card Industry standard added a requirement aimed squarely at this. &lt;a href="https://www.pcisecuritystandards.org/" rel="noopener noreferrer"&gt;Requirement 12.3.4&lt;/a&gt; mandates that all hardware and software in scope is reviewed &lt;strong&gt;at least once every 12 months&lt;/strong&gt; to confirm it still receives security fixes from the vendor, to document any vendor "end of life" announcements, and to maintain a &lt;strong&gt;plan approved by senior management to remediate outdated technologies&lt;/strong&gt;. It moved from best practice to mandatory on &lt;strong&gt;31 March 2025&lt;/strong&gt;, so it is now fully assessed. Requirement 6.3.3 separately requires that components be protected from known vulnerabilities via timely patching. A lifecycle calendar with lead-time reminders is precisely the artifact a QSA wants to see behind 12.3.4.&lt;/p&gt;

&lt;h3&gt;
  
  
  NIST SP 800-53 &amp;amp; FedRAMP — SA-22
&lt;/h3&gt;

&lt;p&gt;Control &lt;a href="https://csrc.nist.gov/" rel="noopener noreferrer"&gt;SA-22, "Unsupported System Components,"&lt;/a&gt; is explicit: organizations must replace components when vendor support ends, or formally arrange alternative support. Paired with SI-2 (flaw remediation), it gives assessors a direct hook. Because &lt;strong&gt;FedRAMP&lt;/strong&gt; inherits the 800-53 baseline, any cloud service serving the U.S. government carries SA-22 as well — and an unsupported component without a plan becomes a POA&amp;amp;M item.&lt;/p&gt;

&lt;h3&gt;
  
  
  ISO 27001:2022 — Annex A 8.8
&lt;/h3&gt;

&lt;p&gt;Control 8.8, "Management of technical vulnerabilities," was strengthened in the 2022 revision to emphasize a &lt;em&gt;proactive&lt;/em&gt; process: maintain an asset inventory with version numbers, obtain timely information about vulnerabilities, and act. Software for which no patch can ever exist is a structural failure of exactly that control.&lt;/p&gt;

&lt;h3&gt;
  
  
  SOC 2 — Trust Services Criteria CC7.1
&lt;/h3&gt;

&lt;p&gt;SOC 2 names no specific technologies; it tests whether your controls fit your risks. Criterion CC7.1 covers detecting new vulnerabilities and susceptibilities. An auditor will ask how you identify them — and if your answer has no process for tracking software end-of-life, that's a gap. If EOL software is then found running, the gap becomes a finding.&lt;/p&gt;

&lt;h3&gt;
  
  
  HIPAA Security Rule
&lt;/h3&gt;

&lt;p&gt;For ePHI, the &lt;a href="https://www.hhs.gov/hipaa/for-professionals/security/index.html" rel="noopener noreferrer"&gt;HIPAA Security Rule&lt;/a&gt; requires a risk analysis (45 CFR §164.308) and technical safeguards (§164.312). NIST's implementation guide, &lt;a href="https://csrc.nist.gov/pubs/sp/800/66/r2/final" rel="noopener noreferrer"&gt;SP 800-66 Revision 2&lt;/a&gt; (February 2024), frames unsupported software as an identifiable, manageable risk. OCR's enforcement consistently ties penalty severity to whether an organization &lt;em&gt;knew&lt;/em&gt; about a risk and failed to act — which makes knowingly running EOL software the worse position to be in.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;The pattern across every framework&lt;/strong&gt;&lt;br&gt;
None of these require perfect, always-current software. They require that you &lt;em&gt;know&lt;/em&gt; your lifecycle risks and manage them deliberately — with awareness, a plan, and a timeline. EOL software that's documented, compensated, and scheduled for remediation is a managed risk. EOL software you didn't see coming is a finding.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Framework / Body&lt;/th&gt;
&lt;th&gt;Control&lt;/th&gt;
&lt;th&gt;What it expects regarding EOL&lt;/th&gt;
&lt;th&gt;Severity&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;PCI DSS 4.0.1&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Req. 12.3.4, 6.3.3&lt;/td&gt;
&lt;td&gt;Annual review for EOL/vendor support + senior-approved remediation plan (mandatory since Mar 2025)&lt;/td&gt;
&lt;td&gt;Critical&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;NIST 800-53 / FedRAMP&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;SA-22, SI-2&lt;/td&gt;
&lt;td&gt;Replace unsupported components or arrange alternative support; POA&amp;amp;M if not&lt;/td&gt;
&lt;td&gt;Critical&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;ISO 27001:2022&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Annex A 8.8&lt;/td&gt;
&lt;td&gt;Proactive vulnerability management with versioned asset inventory&lt;/td&gt;
&lt;td&gt;High&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;SOC 2&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;TSC CC7.1&lt;/td&gt;
&lt;td&gt;A process to detect new vulnerabilities, including lifecycle tracking&lt;/td&gt;
&lt;td&gt;High&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;HIPAA&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;§164.308, §164.312&lt;/td&gt;
&lt;td&gt;Risk analysis covering unsupported software; known-and-unaddressed risk raises OCR exposure&lt;/td&gt;
&lt;td&gt;Critical&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;CISA&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Bad Practices · KEV · BOD 22-01&lt;/td&gt;
&lt;td&gt;EOL software named a "bad practice"; KEV entries carry fixed remediation deadlines&lt;/td&gt;
&lt;td&gt;Critical&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The reach extends beyond U.S. frameworks. The EU's &lt;a href="https://gdpr-info.eu/art-32-gdpr/" rel="noopener noreferrer"&gt;GDPR Article 32&lt;/a&gt; requires security measures appropriate to "the state of the art" — a standard that running years-past-EOL software plainly undercuts. For financial entities, the EU's DORA regulation (in force since January 2025) and the NIS2 Directive both impose ICT lifecycle and vulnerability-management obligations in the same spirit.&lt;/p&gt;

&lt;h2&gt;
  
  
  From a date to a defensible plan
&lt;/h2&gt;

&lt;p&gt;A calendar reminder is the trigger. Here's the workflow it plugs into:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Know&lt;/strong&gt; — Inventory your stack. Use the &lt;a href="https://endoflife.ai/scanner" rel="noopener noreferrer"&gt;Stack Scanner&lt;/a&gt; on your &lt;code&gt;package.json&lt;/code&gt;, &lt;code&gt;requirements.txt&lt;/code&gt;, Gemfile, or container base images to map what you actually run against current EOL dates.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Prioritize&lt;/strong&gt; — Score the risk. The &lt;a href="https://endoflife.ai/risk-score" rel="noopener noreferrer"&gt;EOL Risk Score&lt;/a&gt; weighs EOL recency, attack surface, CISA KEV exposure, and extended-support availability so you triage the dangerous components first.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Schedule&lt;/strong&gt; — Put the dates on the calendar. For every version you depend on, hit &lt;strong&gt;Add to Calendar&lt;/strong&gt; on its page. The 90/30/7-day reminders become your standing remediation timeline — the documented plan auditors ask to see.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Automate&lt;/strong&gt; — Scale it. The &lt;a href="https://endoflife.ai/api" rel="noopener noreferrer"&gt;endoflife.ai API&lt;/a&gt; exposes EOL dates for 455+ products programmatically, so you can wire lifecycle alerts into CI/CD, SBOM tooling, or your own dashboards.&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;The date was never the hard part. EOL dates are published years in advance; that's the entire premise of &lt;a href="https://endoflife.date" rel="noopener noreferrer"&gt;endoflife.date&lt;/a&gt;, the open dataset this site is built on. The hard part has always been &lt;em&gt;not seeing it coming&lt;/em&gt; — letting a known deadline pass in silence until it surfaces as an incident, an audit finding, or both.&lt;/p&gt;

&lt;p&gt;Now the deadline shows up where you'll actually see it: on your calendar, with enough warning to do something about it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check any of 455+ products, see its EOL Risk Score, and add the deadline to your calendar — free, no signup, at &lt;a href="https://endoflife.ai" rel="noopener noreferrer"&gt;endoflife.ai&lt;/a&gt;.&lt;/strong&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>devops</category>
      <category>compliance</category>
      <category>cybersecurity</category>
    </item>
  </channel>
</rss>
