Re: [DISCUSS] Planning next releases

Thu, 27 Nov 2025 04:11:47 -0800 

Hi all,

+1 for me.
BTW even if versions are just "numbers", it would be nice to minimize the upgrading effort among releases, since 5.0 is a major and could contain breaking changes (also on db side), why not thinking about a 4.2 and 5.0 both on Spring Boot 4.0? 

Just to decouple breaking changes from "spring-forced" upgrades.

Best regards

On 21/11/25 12:42, Francesco Chicchiriccò wrote:

Hi all,
I was reflecting about the OSS support window provided by some of the most notable dependencies in use by Syncope.
Depending on component releases out of their OSS support window ultimately means no possibility to upgrade to a newer version when something critical (a CVE, for example) is issued, and fixes are made available only with latest versions. 

* Spring Boot [1]

** 3.4 ends in December 2025
** 3.5 ends in June 2026
** 4.0 ends in December 2026

* Spring Framework [2]

** 6.2 ends in June 2026
** 7.0 ends in June 2027

* Spring Security [3]

** 6.4 ends in December 2025
** 6.5 ends in June 2026
** 7.0 ends in December 2026

* Spring Cloud Gateway [4]

** 4.2 ends in December 2025
** 4.3 ends in June 2026
** 5.0 ends in December 2026

* Apereo CAS [5]

** 7.2 ends in March 2026
** 7.3 ends in September 2026

Our "release trains" are set as follows:

1. Syncope 4.0
  - Spring Boot 3.4 (with Framework 6.2,  Security 6.4 and Cloud Gateway 4.2) 
  - Apereo CAS 7.2

2. Syncope 4.1
  - Spring Boot 3.5 (with Framework 6.2,  Security 6.5 and Cloud Gateway 4.3) 
  - Apereo CAS 7.3

3. Syncope 5.0 (?)
  - Spring Boot 4.0 (with Framework 7.0,  Security 7.0 and Cloud Gateway 5.0) 
  - Apereo CAS 8.0


Overall, this means that:
* Syncope 4.0 will not be able to get further dependency updates between December 2025 and March 2026 * Syncope 4.1 will not be able to get further dependency updates between June 2026 and September 2026
For these reasons, I think we should plan to get out Syncope 4.1.0 in the first months of 2026, March at most, and immediately afterwards start preparing for Syncope 5.0. 

WDYT?
Regards.

[1] https://spring.io/projects/spring-boot#support
[2] https://spring.io/projects/spring-framework#support
[3] https://spring.io/projects/spring-security#support
[4] https://spring.io/projects/spring-cloud-gateway#support
[5] https://apereo.github.io/cas/developer/Maintenance-Policy.html#eol-schedule 


--
Andrea Patricelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

PMC Member at The Apache Software Foundation
Syncope

Reply via email to