It’s time to stop using Python 3.7
Upgrading to new software versions is work, and work that doesn’t benefit your software’s users. Users care about features and bug fixes, not how up-to-date you are.
So it’s perhaps not surprising how many people still use Python 3.7. As of December 2022, almost 30% of packages downloaded from PyPI were for Python 3.7. This includes automated downloads as part of CI runs, so it doesn’t mean 3.7 is used in 30% of applications, but that’s still a lot of people using an old version of Python.
Still, there is only so much time you can delay upgrading, and for Python 3.7, the time to upgrade is over the next few months. Python 3.7 is reaching its end of life as of June 2023.
No more bug fixes.
No more security fixes.
Still not convinced? Let’s see why you want to upgrade.
What does end-of-life mean?
Python 3.7 was released in June 2018. As you can see in PEP 537:
- Bug fix and security fix sub-releases happened every 3 months for the first two years.
- After that, releases happened as needed for security fixes only.
- Releases will stop 5 years after 3.7 was released.
Which is to say, June 2023 is the last month there will be any Python 3.7 releases. Starting July 2023, if there is a security bug, it won’t get fixed by the Python development team.
The need for security fixes is real: all releases after 3.7.9 were due to security fixes. The latest version at the time of writing, Python 3.7.16, was released on Dec 6, 2022, with 5 different security fixes, ranging from a potential denial of service attack to a buffer overflow.
“I don’t need to upgrade, I’m on long-term-support Linux!”
Some Linux distributions guarantee long-term support for a known period of time, including security bug fixes. If you’re using one of those distributions, and it includes Python 3.7, you can rely on the distribution to provide security fixes even if the Python development team won’t.
So in theory, you don’t need to upgrade quite yet. In practice, there are caveats.
Python 3.7 is not included in most distributions
- RedHat and clones do not include Python 3.7 in any release.
- Ubuntu 18.04 does have Python 3.7 as an add-on, but it’s part of the
universe
add-on packages, so it’s not clear how good security support will be;universe
package security updates rely on community updates, supposedly. The last security update was December 2021. Newer LTS Ubuntu releases (20.04, 22.04) do not include Python 3.7. - Debian 10 (“Buster”) includes Python 3.7, but Debian 11 does not.
Linux distributions will only do so much
Linux distributions do not backport all security fixes, only those which are most significant:
- Even now, when bug fixes are being provided by the Python maintainers themselves, Python 3.7.16 has many security fixes that aren’t included in the version maintained by Debian.
- Ubuntu’s last security update for Python 3.7 was in December 2021, even though there have been a number of security updates since.
And of course long-term support only continues for a limited amount of time:
- Debian Buster ends its own security updates in June 2024, so that will only buy you one extra year.
- Ubuntu 18.04 will end standard security updates in April 2023; after that you’ll need to pay to get security updates.
Your dependencies will stop getting updates
Once June comes around, third-party Python libraries and frameworks are going to start dropping Python 3.7 support. And that means if those libraries have a critical bug, the fix might not be available on Python 3.7, and your Linux distribution is very much not in the business of doing backports for every single Python library in existence.
In fact, some libraries and frameworks have already started dropping Python 3.7 support:
Package | Latest version supports 3.7? | Last release supporting 3.7 |
---|---|---|
NumPy | No | April 2022 |
Pandas | No | December 2021 |
Django 4.x | No | Never supported |
Django 3.2 LTS still supports Python 3.7, and will end its own security updates in April 2024.
The time to upgrade from 3.7 is now
In the short-term, your minimal goal is to switch to a version of Python that has maintained versions of your dependencies available. If you’re relying on Pandas, for example, as we’ve seen the last 3.7-compatible release was in December 2021. So at the very minimum you want to be on Python 3.8.
Luckily, Python 3 releases are fairly backwards compatible. So what you really want to do is:
- Upgrade to 3.8.
- Fix any bugs you find.
- Upgrade to 3.9, fix any bugs.
- Repeat until you hit Python 3.10 or starting around January 2023, Python 3.11.
A symptom of a bigger problem
The need to upgrade is not a one-time event, it’s an ongoing requirement:
- Ubuntu 18.04 will stop getting free security updates in April 2023.
- Python 3.7 will stop getting security updates in June 2023.
- Django 3.2 will stop getting security updates in April 2024.
- Debian Buster will stop getting security updates in June 2024.
- Python 3.8 will stop getting security updates in October 2024.
And so on and so forth.
From the opposite perspective of new releases:
- Python 3.8 was released in October 2019.
- Python 3.9 was released in October 2020.
- Python 3.10 was released in October 2021.
- Python 3.11 was released in October 2022.
If you’re still on Python 3.7, that is a symptom you are suffering from an organizational problem, and it’s likely you have other important upgrades that you’ve been putting off. So your next step should be setting up an ongoing process to update your dependencies regularly.