Clarification on v2.x support lifecycle and security maintenance

[Davidvaquer]

Hi everyone,

We are currently evaluating Bruno for a large-scale deployment within a major corporate IT department (DSI) as an alternative to Postman.

Our security compliance team is inquiring about the support lifecycle of the v2.x branch. We noticed that recent CVE fixes (January 2026) were applied to the v3.0.0 release, while the v2 branch hasn't seen updates since December 2025.

Is the v2.x branch officially considered EOL (End of Life) regarding security patches?

Should new enterprise users target v3.x exclusively to ensure they are protected against known vulnerabilities (especially regarding the transition from vm2 to NodeVM)?

Getting an official word on this would greatly help us finalize our internal validation process. Thanks for this amazing tool!"

[helloanoop]

Hey @Davidvaquer

Yes, v2.x branch is officially considered EOL (End of Life) regarding security patches.
We recommend everyone to upgrade to v3.x