It’s time to stop using Python 3.7

Upgrading to new software versions is work, and work that doesn’t benefit your software’s users. Users care about features and bug fixes, not how up-to-date you are.

So it’s perhaps not surprising how many people still use Python 3.7. As of June 2023, about 30% of packages downloaded from PyPI were for Python 3.7. This includes automated downloads as part of CI runs, so it doesn’t mean 3.7 is used in 30% of applications, but that’s still a lot of people using an old version of Python.

Still, there is only so much time you can delay upgrading, and for Python 3.7, the time to upgrade is as soon as possible. Python 3.7 is reaching its end of life at the end of June 2023.

No more bug fixes.

No more security fixes.

“He’s dead, Jim.”

Still not convinced? Let’s see why you want to upgrade.

What does end-of-life mean?

Python 3.7 was released in June 2018. As you can see in PEP 537:

  • Bug fix and security fix sub-releases happened every 3 months for the first two years.
  • After that, releases happened as needed for security fixes only.
  • Releases will stop 5 years after 3.7 was released.

Which is to say, June 2023 is the last month there will be any Python 3.7 releases. Starting July 2023, if there is a security bug, it won’t get fixed by the Python development team.

The need for security fixes is real: all releases after 3.7.9 were due to security fixes. The latest version at the time of writing, Python 3.7.17, was released on June 6, 2023, with 5 different security fixes.

“I don’t need to upgrade, I’m on long-term-support Linux!”

Some Linux distributions guarantee long-term support for a known period of time, including security bug fixes. If you’re using one of those distributions, and it includes Python 3.7, you can rely on the distribution to provide security fixes even if the Python development team won’t.

So in theory, you don’t need to upgrade quite yet. In practice, there are caveats.

Python 3.7 is not included in most distributions

  • RedHat and clones do not include Python 3.7 in any release.
  • Ubuntu 18.04 does have Python 3.7 as an add-on. Newer LTS Ubuntu releases (20.04, 22.04) do not include Python 3.7.
  • Debian 10 (“Buster”) includes Python 3.7, but Debian 11 and 12 do not.

Linux distributions will only do so much

Linux distributions do not backport all security fixes, only those which are most significant. Even now, when bug fixes are being provided by the Python maintainers themselves, Python 3.7.17 and older versions have many security fixes that aren’t included in the version maintained by Debian; the last release was October 2022.

And of course long-term support only continues for a limited amount of time:

  • Debian Buster ends its own security updates in June 2024, so that will only buy you one extra year.
  • Ubuntu 18.04 has ended standard security updates in April 2023; you’ll need to pay to get security updates if you’re operating at scale.

Your dependencies will stop getting updates

Third-party Python libraries and frameworks have already started dropping Python 3.7 support. And that means if those libraries have a critical bug, the fix might not be available on Python 3.7, and your Linux distribution is very much not in the business of doing backports for every single Python library in existence.

Package Latest version supports 3.7? Last release supporting 3.7
NumPy No April 2022
Pandas No December 2021
Django 4.x No Never supported
Django 3.2 Yes April 2024

The time to upgrade from 3.7 is now

In the short-term, your minimal goal is to switch to a version of Python that has maintained versions of your dependencies available. If you’re relying on Pandas, for example, as we’ve seen the last 3.7-compatible release was in December 2021. So at the very minimum you want to be on Python 3.8.

Luckily, Python 3 releases are fairly backwards compatible. So what you really want to do is:

  1. Upgrade to 3.8.
  2. Fix any bugs you find.
  3. Upgrade to 3.9, fix any bugs.
  4. Repeat until you hit Python Python 3.11.

A symptom of a bigger problem

The need to upgrade is not a one-time event, it’s an ongoing requirement:

  • Ubuntu 18.04 has stopped getting free security updates as of April 2023.
  • Python 3.7 will stop getting security updates in July 2023.
  • Django 3.2 will stop getting security updates in April 2024.
  • Debian Buster will stop getting security updates in June 2024.
  • Python 3.8 will stop getting security updates in October 2024.

And so on and so forth.

From the opposite perspective of new releases:

  • Python 3.8 was released in October 2019.
  • Python 3.9 was released in October 2020.
  • Python 3.10 was released in October 2021.
  • Python 3.11 was released in October 2022.

If you’re still on Python 3.7, that is a symptom you are suffering from an organizational problem, and it’s likely you have other important upgrades that you’ve been putting off. So your next step should be setting up an ongoing process to update your dependencies regularly.