Apache Maven Support Policy – Straight from Someone Who’s Been Burned by It
Maven’s support policy is brutally simple, and honestly, I kind of respect it.
At any point in time, the Maven team only supports the two newest stable minor series. That’s it. Everything else? Dead to them the moment a new kid pushes it out of the top two.
No bug fixes. No security patches. No “please sir, just one more backport”. Nothing. I still remember the day 3.8 got EOL’ed – half the company’s build servers started screaming about vulnerabilities the next morning. Fun times.
There’s no LTS, no paid support, no Red Hat–style enterprise branch. If you’re still on an EOL version in production… well, technically it still works, but you’re on your own, buddy.
The one saving grace: plugin compatibility is actually pretty decent. Most plugins declare a minimum Maven version (usually 3.6.x or 3.8.x) and keep working fine on newer cores inside the supported window.
Release Types Explained (So You Don’t Deploy an Alpha by Accident)
Over the years I’ve seen way too many teams run Maven 4.0.0-alpha-13 in production because “it was the newest download”. Please don’t be that team.
Here’s the cheat sheet we stick on the office wall:
| Type | What It Really Means | Real-World Example | Production? |
|---|---|---|---|
| GA | General Availability – the boring, safe one | 3.9.11 (latest as of Dec 2025) | Yes, obviously |
| RC | Release Candidate – “we think it’s ready, but…” | 4.0.0-rc-5 | Only if you enjoy living dangerously |
| Beta | Still eating its own dog food | 4.0.0-beta-5, 3.5.0-beta-1 | No, unless you’re paid to find bugs |
| Alpha | Half the features aren’t even written yet | 4.0.0-alpha-13 | Absolutely not |
| M / Milestone | Mid-development checkpoint | 2.1.0-M1 (ancient history) | Nope |
Snapshots aren’t even in this table because they’re literally nightly builds. Never, ever put a -SNAPSHOT in production unless you want random build failures at 3 a.m.
Maven vs Gradle vs Ant – 2025 Edition (No BS)
| Maven | Gradle | Ant | |
|---|---|---|---|
| Config style | XML you’ll hate for 5 minutes, then never touch again | Groovy/Kotlin – feels like real code | XML that you write by hand forever |
| Dependency management | Set-and-forget magic | Insanely powerful (and sometimes insane) | Manual or bolt-on Ivy |
| Build speed | Perfectly fine unless your project is massive | Blazing fast incremental builds | Fast if you keep it simple |
| When I still pick it in 2025 | Enterprise, libraries, anything that needs reproducibility | Android, huge multi-module monorepos | That one legacy project no one dares touch |
Most teams I consult for still run Maven. They only switch to Gradle when Android forces them or when the monorepo gets out of control.
Who Should Still Be Using Maven in 2025?
Honestly? Most of you.
- You want everyone to run
mvn clean installand it just works – no 47 custom Gradle plugins required - You’re building libraries that other companies depend on
- Your compliance team needs SBOMs and dependency reports yesterday
- You value sleeping at night over saving 8 seconds on CI
- You like having 3000+ plugins that actually work
If that sounds like you, stick with Maven. It’s boring. Boring is good.
Alternatives (When Maven Isn’t Enough)
| Tool | Kills it at | You’ll switch when… |
|---|---|---|
| Gradle | Speed & Android | Your build takes >10 min or you’re doing Android |
| Bazel | Huge monorepos, perfect reproducibility | You work at Google, Meta, or similar scale |
| sbt | Scala ecosystem | You’re writing Scala (obviously) |
| Pants | Polyglot codebases | Python + Java + Go + TypeScript in one repo |
| Ant | You hate yourself | It’s 2005 and you’re stuck in a time warp |
FAQ – Questions I Get Every Single Week
Does Maven have LTS versions?
No. Never has, never will. Only the two latest minor lines get love.
When does a version become EOL?
The exact day a new minor release comes out that pushes it out of the top two. Brutal but effective.
Do EOL versions still get security fixes?
Nope. Zero. You’re on your own.
Is it safe to run EOL Maven in prod?
Technically yes. Practically? I’ve seen banks do it and then cry when a CVE drops.
Why only two supported versions?
Because maintaining ten old branches is a nightmare, and the Maven team prefers shipping new features over babysitting ancient code. I can’t blame them.