We Measured the Lifespan of 7,144 Software Versions. The Median Is 18 Months.
We run a database that tracks end-of-life dates for 485 software products - every version, every release date, every day the security patches stop. Which means we're sitting on something nobody else has bothered to assemble: enough lifecycle data to answer a simple question with actual numbers. How long does a software version actually live?
We measured every version in the dataset with both a firm release date and a firm end-of-life date - 7,144 versions across 463 products - and computed the span between them.
The headline: 18 months
The median supported lifespan of a software version is 1.5 years. The mean is 2.3 years (a long tail of enterprise products drags it up).
Sit with that. The thing you deployed, integrated, and built muscle memory around has - statistically - about eighteen months of security patches from the day it shipped. If your upgrade cadence is "every two or three years," the math says you spend a meaningful slice of every cycle running unpatched software. Not because you're negligent - because the clock is shorter than most people's mental model of it.
By category: cloud dies fastest, hardware lives longest
| Category | Versions measured | Median lifespan |
|---|---|---|
| Hardware | 100 | 2.9 yrs |
| Operating systems | 370 | 1.6 yrs |
| Databases | 228 | 1.6 yrs |
| Security tools | 61 | 1.3 yrs |
| Frameworks | 195 | 1.1 yrs |
| Runtimes | 221 | 1.0 yr |
| Cloud services | 142 | 0.9 yrs |
Two things jump out:
- The stack rots from the top. The layers you interact with most - runtimes, frameworks, managed cloud services - turn over fastest. The infrastructure underneath (OS, database, hardware) gives you roughly 60-190% more runway. Your Node version will die before your Postgres version, which will die before your server.
- Cloud services have the shortest leash of anything we measured. A managed service version's median lifespan is under a year - and unlike self-hosted software, when a cloud version dies you don't get to quietly keep running it. The provider migrates you on their schedule.
The extremes
Longest-lived (median across versions): Internet Explorer at 17.0 years - say what you want about IE, Microsoft supported it longer than some of its users' entire careers. Then Atlassian Data Center (12.2), Raspberry Pi (11.7), Apache HTTP Server (11.6), and NVIDIA GPUs (11.5).
Shortest-lived: a cluster of rolling-release projects - Chrome, Firefox, Rust, Prometheus, Neo4j among them - where each version gets roughly five weeks before the next one replaces it. That model works because upgrades are continuous and boring. The danger zone isn't rapid release; it's rapid release consumed at an enterprise pace.
Methodology, briefly
All data comes from the endoflife.ai dataset (built on the open-source endoflife.date project plus vendor lifecycle pages). We only measured versions with firm dates on both ends - no TBDs, no estimates - and used medians because enterprise long-tails skew means. Full methodology and tables are in the original article.
What to do with this number
If the median version lives 18 months, then "check lifecycle dates once, at adoption time" is a broken process - the answer changes underneath you. The fix is making the check continuous:
- Look up anything in seconds: free checker, or scan a whole dependency file with the stack scanner
- Gate it in CI with the free API:
curl https://api.endoflife.ai/v1/status/python/3.10 # "is_eol": false - until October 31, 2026. - Watch the big deadlines: the back half of 2026 alone kills OpenSSL 3.0, Oracle JDK 17, Python 3.10, .NET 8 and 9, PostgreSQL 14, and PHP 8.2 - the full calendar is at endoflife.ai/eol-watch
Eighteen months. Plan accordingly.
Comments
No comments yet. Start the discussion.