EOL Watch

The June 30 Spring wave:
four projects went EOL on one day.

Published 2026-07-11 · 5 min read · endoflife.ai Research

On June 30, 2026, open-source support ended simultaneously for Spring Boot 3.5, Spring Framework 6.2, Spring Security 6.5, and Spring Cloud 2025.0. That's not a coincidence — the Spring portfolio synchronizes its release trains — but it means JVM teams didn't lose support for a library last month; they lost the entire supported generation of their application stack at once. Eleven days later, search traffic tells us plenty of teams are only now finding out.

Why one day took out the whole stack

Spring's projects version together: a Boot release binds specific Framework, Security, and Cloud lines, and their open-source support windows end together. Under the current policy, each Spring Boot minor receives roughly 13 months of open-source support; when 3.5's window closed on June 30, the coordinated lines closed with it. The successors — Spring Boot 4.0 and Spring Framework 7.0, released November 2025 — are now the only fully supported open-source generation.

What makes this one bigger than usual

Spring Boot 3.5 wasn't just another minor: it was the final release of the 3.x line. There is no 3.6 to slide onto. Staying supported on open source means crossing a major version boundary — Boot 3.x → 4.0 rides on Framework 6.x → 7.0 — and major-boundary migrations are where framework upgrades stop being version bumps and start being projects. As we covered in how CVEs hit frameworks differently, framework code parses your inbound traffic: when the next serious advisory lands (Spring's history includes Spring4Shell-class events), 3.x users won't be patching — they'll be migrating under fire.

The quiet part
From July 1, newly disclosed vulnerabilities in Framework 6.2 / Boot 3.5 and earlier get no open-source fix. Your dependency scanner won't flag anything today — the findings arrive with the next CVE, retroactively, for a version you can no longer patch.

Your options, ranked

1. Migrate to Boot 4.0 / Framework 7.0. The documented path, and the earlier you start the calmer it is. Teams on 3.5 with current dependencies have the shortest crossing; teams still on 3.2/3.3 (we see you in the search logs) should go straight to 4.0 rather than hopping through dead minors.

2. Commercial support for the 3.x line. Broadcom's enterprise subscriptions extend 3.x support well past the open-source cutoff — the official paid bridge. Independent extended-support vendors also cover Spring lines, often at different price points. Tell us your stack and constraints and we'll match you with the right option — free, one business day.

3. Accept and contain — briefly. A documented, time-boxed exposure window while migration is scheduled is defensible. An open-ended one, on the component that parses your public traffic, is how Equifax happened.

Check where you actually stand

Every Spring line's dates are on the live pages: Spring Boot, Spring Framework, Spring Security, Spring Cloud — or get an instant answer for any product with the EOL Checker. June 30 was the Spring ecosystem's biggest EOL day of 2026; the next generation's clock (Boot 4.0's open-source window runs to the end of 2026) is already ticking.

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.