Vue 2 End of Life —
EOL, Risk & Migration to Vue 3
Vue 2 reached end of life on December 31, 2023. Since that date, the Vue core team has issued no further updates for Vue 2 — no bug fixes, and critically, no security patches. The final Vue 2 release, Vue 2.7 ("Naruto"), is the last version that will ever ship from the official project. If you are still running Vue 2 in production — and a great many teams are — every vulnerability discovered from 2024 onward stays open unless you patch it yourself or buy extended support.
This page is the single reference for Vue 2 end-of-life: every version's EOL date and EOL Risk Score™, why Vue 2 is harder to leave than most frameworks, the realistic path to Vue 3, and the extended-support options if you cannot migrate yet.
Vue Version EOL Schedule
The entire Vue 2 line is now end-of-life. Vue 3 is the actively maintained generation; within it, only the latest minor receives fixes, so older Vue 3 minors carry elevated risk too. Scores below are live EOL Risk Scores™ — click any to see the full breakdown.
| Version | End of Life | Status | EOL Risk Score™ |
|---|---|---|---|
| Vue 2.6 | Jun 30, 2022 | EOL | 70 |
| Vue 2.7 (final Vue 2) | Dec 31, 2023 | EOL | 70 |
| Vue 3.3 | Dec 28, 2023 | EOL | 70 |
| Vue 3.4 | Sep 2, 2024 | EOL | 65 |
| Vue 3.5 (current) | Active | Supported | 30 |
Why Vue 2 EOL Is a Real Security Problem
It is tempting to treat a front-end framework as lower-risk than a database or an OS — it runs in the browser, not on your servers. That reasoning is wrong in two specific ways.
Client-side code is directly attacker-facing. Vue renders untrusted data into the DOM. Framework-level vulnerabilities — XSS through template compilation, prototype-pollution in reactivity, mutation-based injection — execute in your users' sessions. An unpatched flaw in Vue 2 is an unpatched flaw in the part of your app the attacker can reach most easily.
The dependency tree ages with it. Vue 2 pins you to Vue CLI, vue-router 3, Vuex 3, and a generation of component libraries that are themselves end-of-life. Each is a stalled dependency that no longer receives security fixes, and many will not run on current Node.js. The longer you stay on Vue 2, the more of your stack is frozen alongside it. See how this concentration of risk plays out across the wider ecosystem in our 2026 data report.
Vue 2.7 — The Final Release
Vue 2.7 was a deliberate bridge release. It backported the most important Vue 3 features — the Composition API, <script setup>, and improved TypeScript support — into the Vue 2 runtime, so teams could start writing Vue-3-style code before migrating. That makes 2.7 the best possible launchpad for a Vue 3 move: code written against its Composition API largely carries over.
But 2.7 is still end-of-life. Its EOL Risk Score™ of 70 (High) reflects a past-EOL framework with a broad, browser-facing attack surface. The Composition-API support it added is a migration aid, not a reprieve — the security clock ran out on December 31, 2023 regardless of which API style you use.
If you are on an older Vue 2 minor (2.6 or earlier): upgrade to 2.7 first. It is the smallest possible step, it is still within the Vue 2 line, and it sets up the Vue 3 migration with far less rework.
Migrating from Vue 2 to Vue 3
Vue 3 is a ground-up rewrite, not a drop-in upgrade. The reactivity system moved from Object.defineProperty to ES Proxy, the global API changed (new Vue() became createApp()), and several Vue 2 patterns were removed. The official migration build (@vue/compat) runs Vue 3 in a Vue-2-compatible mode and flags each incompatibility, so you can migrate incrementally rather than in one big-bang rewrite.
-
01Get to Vue 2.7 and the latest dependencies first Move to Vue 2.7, then update vue-router, Vuex, and your component libraries to their latest Vue-2-compatible releases. Adopt the Composition API where practical — that code transfers to Vue 3 almost unchanged.
-
02Switch to the migration build (
@vue/compat) Replace Vue 2 with the Vue 3 migration build. It boots your app in compatibility mode and emits console warnings for every deprecated pattern — your prioritised migration to-do list, generated from your actual code. -
03Clear the warnings, one category at a time Update the global API (
createApp), filters (removed — replace with methods/computed),v-modelchanges, event-bus removal ($on/$offare gone), and functional-component syntax. Work category by category so each change is reviewable. -
04Upgrade the ecosystem to Vue 3 lines Move to vue-router 4, Pinia (the successor to Vuex), and Vue-3-compatible component libraries. This is usually the largest chunk of work — third-party libraries, not your own code, are the common blocker.
-
05Drop compat mode and ship on native Vue 3 Once the warnings are gone and the ecosystem is upgraded, remove
@vue/compatand run on stock Vue 3.5. Pin yourself to the latest Vue 3 minor and keep current — within Vue 3, only the newest minor receives fixes.
Extended Support If You Can't Upgrade Yet
For a large Vue 2 application, migration is a real project — often months of work, gated on third-party libraries you do not control. That is a legitimate reason it has not happened yet. It is not a reason to ship unpatched security flaws to your users in the meantime.
Extended (post-EOL) support closes that gap. Specialist vendors maintain security-patched forks of Vue 2 and its core ecosystem — backporting fixes for newly disclosed vulnerabilities to the Vue 2 line — so your application stays protected while you migrate to Vue 3 on a realistic timeline rather than an emergency one. Vue 2 is one of the most commonly supported frameworks in this market precisely because so many production apps still depend on it.
Check your whole front-end stack for EOL exposure
Vue is one dependency. Check your runtime, build tooling, and the rest of your stack too — free, no signup required.
Scan your stack Check a version Extended support options