Managing End-of-Life Software & Deprecated Dependencies
Software has a lifespan. When a programming language version, framework, or dependency reaches "end of life" (EOL), it no longer receives security patches — making it a risk for your live system. This article explains how we manage this risk.
What Does End of Life Mean?
EOL means the vendor or open source project has stopped providing security fixes and updates. Software running on EOL components can have unpatched known vulnerabilities — a significant security and compliance risk.
Common EOL Examples
- PHP 7.x (EOL December 2022)
- Node.js LTS versions (each version supported for ~30 months)
- Python 2.x (EOL January 2020)
- WordPress versions without security backports
- Specific npm packages no longer maintained
How We Manage This
- We proactively monitor the EOL status of all dependencies in your managed systems
- We alert you 6–12 months before a critical component reaches EOL with options and cost estimates for upgrading
- Where possible, we plan major version upgrades as part of your retainer
- We document any known EOL risks in your quarterly health check
Your Responsibilities
When we notify you of an upcoming EOL risk and recommend action, please respond and approve the required upgrade work promptly. Running EOL software creates shared risk — if a breach occurs due to an unpatched EOL component after we have advised you to upgrade and you have declined, liability may shift to your side under your contract.
Cost of Upgrades
Minor version updates are typically included in managed retainers. Major version upgrades (e.g. PHP 7 → 8, Node 16 → 22) are usually scoped as change requests due to the testing required. We aim to plan these well in advance to avoid emergency upgrade situations.