Jackson End of Life (EOL) Dates & Support Timeline
Complete end-of-life dates, support windows, and security status for all Jackson versions. Data sourced from endoflife.date and official vendor documentation. Updated at every deploy.
| Version | Latest Release | Release Date | EOL Date | Days | Status |
|---|---|---|---|---|---|
| 2.18 LTS | 2.18.9 | Sep 27, 2024 | TBD | Supported | Active |
| 2.19 | 2.19.4 | Apr 24, 2025 | Oct 30, 2025 | 251 days past EOL | EOL |
| 2.20 | 2.20.2 | Aug 28, 2025 | Jan 19, 2026 | 170 days past EOL | EOL |
| 2.21 LTS | 2.21.5 | Jan 18, 2026 | Jan 31, 2028 | 572 days remaining | Active |
| 3.0 | 3.0.4 | Oct 3, 2025 | Feb 23, 2026 | 135 days past EOL | EOL |
| 3.1 LTS | 3.1.4 | Feb 23, 2026 | TBD | Supported | Active |
| 3.2 | 3.2.0 | Jun 8, 2026 | TBD | Supported | Active |
Jackson lifecycle status — the real story
Jackson is the most widely deployed JSON library on the JVM, and its lifecycle runs on two parallel tracks: the 2.x line (com.fasterxml.jackson) that most production systems still use, and the 3.x line (tools.jackson) launched in October 2025 as the actively developed future. Migrating between them is a real project — the Maven coordinates, package names, and default behaviors all changed.
Jackson designates specific branches as Long-Term Support: as of mid-2026 the open LTS branches are 2.18, 2.21, and 3.1, each maintained for a minimum of two years. Non-LTS branches close fast — 2.19 and 2.20 were each retired within roughly six months of release, and 3.0 closed in February 2026 when 3.1 shipped. Teams that pin a non-LTS Jackson version are typically running unpatched within a year.
The ancient 1.x line (org.codehaus.jackson) has been unsupported for over a decade with no release mechanism left, yet it still appears in legacy enterprise applications and transitive dependency trees — finding it in a scan is a reliable signal of deeper technical debt.
What does Jackson end of life mean for your organization?
When a version of Jackson reaches end of life, the maintainers stop issuing security patches. Vulnerabilities discovered after this date are publicly disclosed on the National Vulnerability Database, exploit code appears on GitHub, and your systems remain permanently exposed.
The CVE blind spot: Most vulnerability scanners check for known CVEs but do not flag the accumulation of unpatched vulnerabilities in EOL software. With a zero-day, nobody knows about the vulnerability. With EOL software, the vulnerability is public — listed, rated, and often weaponized — but no patch will ever exist. This is the most dangerous gap in enterprise security posture.
Organizations running EOL Jackson should treat it as a vulnerability class in their risk register, apply compensating controls (network segmentation, enhanced monitoring, access restriction), and prioritize migration to a supported version.
Extended Support Options
If you cannot migrate immediately, extended support vendors provide continued security patches for EOL Jackson versions. This is a bridge, not a permanent solution — plan your migration in parallel.
We work with vetted extended support vendors. Tell us what you need and we'll connect you with the right provider.
Contact Us →