Update on this topic after some time:
1. Syncope 3.0.16 and 4.0.4 just released, with the former likely being the
very last from 3_0_X
2. Syncope 4.1 ready to get at least its first milestone release anytime soon
3. Syncope 5.0 being prepared in [6]
About (3), besides "normal" upgrades to get Jakarta EE 11 compatibility, you
might notice we are planning to replace OpenJPA with Hibernate ORM.
Such a choice was somehow mandated by the fact that OpenJPA is not yet
implementing the Jakarta Persistence 3.2 specs, part of Jakarta EE 11.
Please note that Hibernate ORM was in use years ago, before entering the ASF
Incubator and had to be replaced at that time because of its license; this
issue is now superseded because AL 2.0 was lately adopted: see [7].
WDYT?
Regards.
On 21/11/25 12:42, Francesco Chicchiriccò wrote:
Hi all,
I was reflecting about the OSS support window provided by some of the most
notable dependencies in use by Syncope.
Depending on component releases out of their OSS support window ultimately
means no possibility to upgrade to a newer version when something critical (a
CVE, for example) is issued, and fixes are made available only with latest
versions.
* Spring Boot [1]
** 3.4 ends in December 2025
** 3.5 ends in June 2026
** 4.0 ends in December 2026
* Spring Framework [2]
** 6.2 ends in June 2026
** 7.0 ends in June 2027
* Spring Security [3]
** 6.4 ends in December 2025
** 6.5 ends in June 2026
** 7.0 ends in December 2026
* Spring Cloud Gateway [4]
** 4.2 ends in December 2025
** 4.3 ends in June 2026
** 5.0 ends in December 2026
* Apereo CAS [5]
** 7.2 ends in September 2025
** 7.3 ends in March 2026
Our "release trains" are set as follows:
1. Syncope 4.0
- Spring Boot 3.4 (with Framework 6.2, Security 6.4 and Cloud Gateway 4.2)
- Apereo CAS 7.2
2. Syncope 4.1
- Spring Boot 3.5 (with Framework 6.2, Security 6.5 and Cloud Gateway 4.3)
- Apereo CAS 7.3
3. Syncope 5.0 (?)
- Spring Boot 4.0 (with Framework 7.0, Security 7.0 and Cloud Gateway 5.0)
- Apereo CAS 8.0
Overall, this means that:
* Syncope 4.0 will not be able to get further dependency updates between
December 2025 and March 2026
* Syncope 4.1 will not be able to get further dependency updates between June
2026 and September 2026
For these reasons, I think we should plan to get out Syncope 4.1.0 in the first
months of 2026, March at most, and immediately afterwards start preparing for
Syncope 5.0.
WDYT?
Regards.
[1] https://spring.io/projects/spring-boot#support
[2] https://spring.io/projects/spring-framework#support
[3] https://spring.io/projects/spring-security#support
[4] https://spring.io/projects/spring-cloud-gateway#support
[5] https://apereo.github.io/cas/developer/Maintenance-Policy.html#eol-schedule
[6] https://github.com/apache/syncope/pull/1258
[7] https://hibernate.org/community/license/
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA
https://about.me/ilgrosso
