Java 17 long-term support release

Executive summary. Oracle and the OpenJDK community shipped Java 17 on 14 September 2021, delivering the first long-term support (LTS) release since Java 11 with sealed classes, pattern matching for switch, a new macOS rendering pipeline, and stronger TLS defaults. The release anchors commercial support windows through at least 2029, prompting platform teams to plan migrations that consolidate JDK baselines, retire legacy garbage collectors, and adopt new language features that simplify defensive coding.

Key changes

The following section provides additional context and analysis.

Language and JVM improvements

Java 17 finalizes sealed classes to constrain inheritance hierarchies, improves pattern matching for switch, and provides a foreign-memory access API preview that improves performance for native interop. The G1 and ZGC collectors gain further latency improvements, and a new macOS Metal rendering pipeline replaces deprecated OpenGL bindings.

Security and crypto defaults

Stronger default algorithms (including disabling SHA-1 in code signing by default) and updates to TLS setups reduce exposure to weak ciphers. The JDK also includes context-specific deserialization filters, which help application teams block gadget chains without custom agents.

Lifecycle and support planning

As an LTS, Java 17 will receive quarterly updates for multiple years from Oracle and other vendors. The release also removes outdated features (Applet API marked @Deprecated(forRemoval=true)) and eliminates the experimental AOT/JIT compiler interface introduced in earlier versions, simplifying downstream builds.

Implications for engineering leaders

Standardize on an LTS baseline

Moving to Java 17 lets organizations consolidate runtime support contracts and minimize the number of active JDK lines. Aligning microservices, batch jobs, and build agents on one LTS reduces CVE remediation sprawl and keeps security patches predictable.

Developer productivity and code hygiene

Sealed classes and pattern matching enable stricter domain models and exhaustiveness checks, improving readability and reducing boilerplate in defensive code paths. Platform teams should update coding standards and linters to encourage these constructs.

Modern macOS and container support

The Metal pipeline stabilizes UI testing on Apple Silicon, while container-awareness improvements in the JVM make resource limits more reliable. CI images should be refreshed to the latest container-aware JDK 17 builds to avoid surprise throttling.

Upgrade guidance

Assess dependency readiness

Verify that frameworks (Spring, Jakarta EE, Micronaut) and build tools (Maven, Gradle) declare Java 17 support. Update bytecode targets in build scripts and enable preview features only in controlled modules until team patterns mature.

Security baselines

Revisit keystores and signing pipelines to align with the stronger defaults—particularly the SHA-1 deprecation. Validate outbound mTLS configurations and regenerate SBOMs to capture the new cryptography baseline.

Performance validation

Benchmark workloads under G1 and ZGC to confirm pause-time expectations, especially for low-latency services. Capture JFR profiles to tune heap sizing with container limits and to identify third-party agents that may not be compatible with Java 17 modules.

Development recommendations

Development teams should adopt practices that ensure code quality and maintainability during and after this transition:

• Code review focus areas: Update code review checklists to include checks for deprecated patterns, new API usage, and migration-specific concerns. Establish review guidelines for changes that span multiple components.
• Documentation updates: Ensure README files, API documentation, and architectural decision records reflect the changes. Document rationale for setup choices to aid future maintenance.
• Version control practices: Use feature branches and semantic versioning to manage the transition. Tag releases clearly and maintain changelogs that highlight breaking changes and migration steps.
• Dependency management: Lock dependency versions during migration to ensure reproducible builds. Update package managers and lockfiles systematically to avoid version conflicts.
• Technical debt tracking: Document any temporary workarounds or deferred improvements introduced during migration. Create backlog items for post-migration cleanup and improvement.

Consistent application of development practices reduces risk and accelerates delivery of reliable software.

Long-run considerations

If you are affected, plan for ongoing maintenance and evolution of systems affected by this change:

• Support lifecycle awareness: Track support timelines for dependencies, runtimes, and platforms. Plan upgrades before end-of-life dates to maintain security patch coverage.
• Continuous improvement: Establish feedback loops to identify improvement opportunities. Monitor performance metrics and user feedback to guide iterative improvements.
• Knowledge management: Build team expertise through training, documentation, and knowledge sharing. Ensure institutional knowledge is preserved as team composition changes.
• Upgrade pathways: Maintain awareness of future versions and breaking changes. Plan incremental upgrades rather than large leap migrations where possible.
• Community engagement: Participate in relevant open source communities, user groups, or vendor programs. Stay informed about roadmaps, good practices, and common pitfalls.

preventive maintenance planning reduces technical debt accumulation and ensures systems remain secure, performant, and aligned with business needs.

• Test coverage analysis: Review existing test suites to identify gaps in coverage for affected functionality. Prioritize test creation for high-risk areas and critical user journeys.
• Regression testing: Establish full regression test suites to catch unintended side effects. Automate regression runs in CI/CD pipelines to catch issues early.
• Performance testing: Conduct load and stress testing to validate system behavior under production-like conditions. Establish performance baselines and monitor for degradation.
• Security testing: Include security-focused testing such as SAST, DAST, and dependency scanning. Address identified vulnerabilities before production deployment.
• User acceptance testing: Engage teams in UAT to validate that changes meet business requirements. Document acceptance criteria and sign-off procedures.

A full testing strategy provides confidence in changes and reduces the risk of production incidents.

More on this topic

Further reading from our research library.

Developer · Credibility 40/100 · January 26, 2023

Rust 1.67 Release

Rust 1.67 release in January 2023 continued the language's evolution. Async improvements and standard library additions. Rust's growth in systems programming and security-sensitive applications continued.

Developer · Credibility 40/100 · June 21, 2022

Developer Productivity — GitHub Copilot General Availability

GitHub Copilot is no longer invite-only. As of June 21, 2022, any developer can subscribe and start using AI-assisted code completion in their IDE. This is the first major commercial AI coding assistant, and it is going…

Developer · Credibility 40/100 · July 7, 2022

Node.js 18.7 Adds Built-in Test Runner

Node.js 18.7.0, released 7 July 2022, introduced an experimental built-in test runner and fetch API stabilization, prompting teams to revisit unit-test tooling, CI performance, and HTTP client migration plans.

Developer · Credibility 40/100 · September 20, 2022

Java 19 General Availability

Oracle released Java 19 on 20 September 2022 with preview features like virtual threads, structured concurrency, and record patterns, requiring platform teams to update LTS transition plans and validate CI pipelines…

Developer · Credibility 91/100 · October 2, 2023

Python 3.12 General Availability

Python 3.12 shipped with better error messages, per-interpreter GIL for subinterpreters, and the new 'type' statement for type aliases. Performance is up 5% across the board.

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Secure Software Supply Chain Tooling Guide

  Engineer developer platforms that deliver verifiable provenance, SBOM distribution, vendor assurance, and runtime integrity aligned with SLSA v1.0, NIST SP 800-204D, and CISA SBOM…

• AI-Assisted Development Governance Guide

  Govern GitHub Copilot, Azure AI, and internal generative assistants with controls aligned to NIST AI RMF 1.0, EU AI Act enforcement timelines, OMB M-24-10, and enterprise privacy…

• Developer Enablement & Platform Operations Guide

  Plan AI-assisted development, secure SDLC controls, and runtime upgrades using our research on GitHub Copilot, GitHub Advanced Security, and major language lifecycles.

Coverage intelligence

Published

September 14, 2021

Coverage pillar

Developer

Source credibility

90/100 — high confidence

Topics

Java · Runtimes · Security · Developer Productivity · Platform Upgrades

Sources cited

3 sources (openjdk.org, blogs.oracle.com, iso.org)

Reading time

5 min

Source material

1. OpenJDK JDK 17 release notes — openjdk.org
2. Oracle JDK 17 long-term support announcement — oracle.com
3. ISO/IEC 27034-1:2011 — Application Security — International Organization for Standardization