GraphQL Java End of Life (EOL) Dates & Support Timeline
Complete end-of-life dates, support windows, and security status for all GraphQL Java versions. Data sourced from endoflife.date and official vendor documentation. Updated at every deploy.
| Version | Latest Release | Release Date | EOL Date | Days | Status |
|---|---|---|---|---|---|
| 21 | 21.5 | Jul 11, 2023 | Apr 16, 2024 | 813 days past EOL | EOL |
| 22 | 22.4 | Apr 16, 2024 | Apr 7, 2025 | 457 days past EOL | EOL |
| 23 | 23.1 | Apr 7, 2025 | May 16, 2025 | 418 days past EOL | EOL |
| 24 | 24.3 | May 16, 2025 | Nov 10, 2025 | 240 days past EOL | EOL |
| 25 | 25.0 | Nov 10, 2025 | Apr 23, 2026 | 76 days past EOL | EOL |
| 26 | 26.0 | Apr 23, 2026 | TBD | Supported | Active |
GraphQL Java lifecycle status — the real story
graphql-java is the engine under most JVM GraphQL deployments, including Spring for GraphQL and Netflix DGS. Its lifecycle profile is defined by a fast major-release cadence — roughly two majors per year (21 in 2023, 22 and 23/24 through 2024-25, 26 by April 2026) — combined with a latest-version support posture, meaning each major is effectively end-of-life within months of its successor.
In practice enterprises pin graphql-java majors for long periods because upgrades ripple through framework versions (each Spring for GraphQL / DGS release binds to a specific graphql-java major). That structural lag means production systems routinely run majors that are several generations unsupported.
When auditing, resolve the effective graphql-java version through the framework BOM rather than the declared dependency — the framework's binding is what pins you, and framework upgrades are the real remediation path.
What does GraphQL Java end of life mean for your organization?
When a version of GraphQL Java reaches end of life, the maintainers stop issuing security patches. Vulnerabilities discovered after this date are publicly disclosed on the National Vulnerability Database, exploit code appears on GitHub, and your systems remain permanently exposed.
The CVE blind spot: Most vulnerability scanners check for known CVEs but do not flag the accumulation of unpatched vulnerabilities in EOL software. With a zero-day, nobody knows about the vulnerability. With EOL software, the vulnerability is public — listed, rated, and often weaponized — but no patch will ever exist. This is the most dangerous gap in enterprise security posture.
Organizations running EOL GraphQL Java should treat it as a vulnerability class in their risk register, apply compensating controls (network segmentation, enhanced monitoring, access restriction), and prioritize migration to a supported version.
Extended Support Options
If you cannot migrate immediately, extended support vendors provide continued security patches for EOL GraphQL Java versions. This is a bridge, not a permanent solution — plan your migration in parallel.
We work with vetted extended support vendors. Tell us what you need and we'll connect you with the right provider.
Contact Us →