Ship .NET 10 LTS: What’s New and How to Upgrade

.NET 10 LTS is out as of November 11, 2025, and it’s the version most teams should target next. Why? The three-year support window runs to November 10, 2028, you get meaningful runtime and toolchain gains, and ASP.NET Core 10 tightens security and observability while smoothing everyday development. If you’ve been waiting for a stable landing zone after .NET 8 and 9, .NET 10 LTS is it.

Why .NET 10 LTS matters right now

LTS means predictability. With .NET’s annual cadence, even-numbered releases carry three years of support; odd-numbered releases now have 24 months of Standard Term Support. That alignment gives enterprises room to plan: you can move from .NET 8 or 9 to .NET 10 and stay supported through 2028 without serial point upgrades.

Here’s the thing: stability doesn’t mean stagnation. .NET 10 arrives alongside Visual Studio 2026 GA and a refreshed suite of docs and tooling. If you manage multiple services, this is the kind of release that can reduce your total upgrade surface for the next few cycles.

What’s actually new in .NET 10 (high-impact highlights)

ASP.NET Core 10: security, diagnostics, and developer ergonomics

There’s a lot to like in ASP.NET Core 10 if you run web apps and APIs in production:

• Built‑in metrics across authentication/authorization and Identity give you histograms and counters you can wire into OpenTelemetry and view in dashboards. No more bolting on coarse custom counters just to answer “are sign‑ins spiking?”
• Minimal APIs get first‑class validation, with consistent ProblemDetails integration so you can return clean, predictable error payloads.
• OpenAPI 3.1 support by default improves schema fidelity, including better JSON Schema handling; YAML output is now available where you want concise documents.
• Cookie‑based auth now returns 401/403 on known API endpoints instead of redirecting—a long‑standing annoyance for SPA/API stacks that wanted status codes, not HTML redirects.
• Server‑Sent Events land with a single TypedResults.ServerSentEvents() call, handy for streaming telemetry, long‑running jobs, or lightweight real‑time UI without a full SignalR dependency.
• Local dev gets nicer with .localhost support so you can bind clean subdomains like myapp.dev.localhost while keeping certificates happy.

On the security front, the timing also matters: a high‑severity request‑smuggling bug in Kestrel was patched in October. Moving to current .NET lines and redeploying is part of the fix story. If your edge is inconsistent about Transfer‑Encoding and Content‑Length, get this on your weekly board.

C# 14: expressiveness without magic

C# 14 keeps the learning curve flat while removing boilerplate:

• Field‑backed properties let you add logic to auto‑properties using the new field keyword—great for validation or lazy init without creating a backing member.
• Extension members (including extension properties) reduce awkward helper patterns and let you attach intent to types you don’t own.
• Null‑conditional assignment and first‑class Span conversions smooth common refactoring paths.
• Partial constructors and events, nameof for open generics, and lambda parameter modifiers are quality‑of‑life improvements that add up.

Use these surgically. Adopt field‑backed properties where they simplify code review; try extension members on internal frameworks to centralize common patterns without inheritance tangles.

EF Core 10: vectors, JSON columns, and hybrid search

If you store embeddings or JSON today, EF Core 10 is a meaningful upgrade:

• Azure SQL and SQL Server 2025 vector type + VECTOR_DISTANCE() are supported, so you can model embeddings as SqlVector<float> and run similarity queries in LINQ. That’s pragmatic RAG and semantic search without a separate vector store.
• JSON becomes a proper column type in SQL Server 2025/Azure SQL; EF maps complex types straight to JSON columns and can query with the RETURNING clause for better performance.
• Cosmos DB gets full‑text search support and hybrid search (reciprocal rank fusion of full‑text and vector scores). If you’re experimenting with LLM features, you’ll appreciate the first‑party glue.

Runtime and performance: steady wins the race

The runtime and JIT keep squeezing allocations and CPU cycles. Highlights include devirtualization and inlining improvements, Arm64 write‑barrier tweaks that can reduce certain GC pauses by single‑digit to low‑double‑digit percentages, and incremental NativeAOT gains. You don’t have to rewrite code to benefit; just be sure your benchmarks run with .NET 10 for apples‑to‑apples comparisons.

Visual Studio 2026: fewer waits, deeper AI

VS 2026 is now GA with measurable UI responsiveness improvements and better hot‑reload reliability in Razor. If your org standardizes on Visual Studio, this release finally closes some long‑standing papercuts and folds AI features into daily workflows rather than novelty demos. If you’re on VS Code, the .NET 10 SDK and C# Dev Kit give you parity where you need it.

What breaks when moving from .NET 8/9 to .NET 10?

Most apps will upgrade without drama, but you should plan for four classes of change:

• Auth redirects: API endpoints protected by cookie auth will now return 401/403 instead of 302 redirects. If your frontend or API clients relied on redirects, update them—or explicitly override the new behavior.
• OpenAPI 3.1: Tooling that assumed 3.0 schemas may misinterpret nullable representations or JSON‑Schema features. Update client generators or pin the version during migration.
• JSON + PipeReader: MVC/Minimal APIs now lean on a faster JSON parser path. Some hand‑rolled JsonConverters mishandle HasValueSequence. If you see odd deserialization errors, temporarily set the stream‑based parsing switch and fix converters next.
• Identity and passkeys: the Blazor template and Identity gain passkey support, but with scoped goals (auth, not a full WebAuthn library). Expect to set schema version v3 and run a migration that adds AspNetUserPasskeys if you adopt it.

Migration playbook: adopt .NET 10 LTS without taking downtime

You don’t need a multi‑quarter project plan. Use this short, deliberate sequence; run it repo‑by‑repo or service‑by‑service.

1) Baseline where you are

Patch everything first. Get your .NET 8/9 apps on current servicing updates and redeploy, especially if you run Kestrel publicly. Capture current build times, p95 latency, and memory footprints to compare after upgrade.

2) Create an upgrade branch with a production‑like environment

Spin up a separate branch and staging infra with the same TLS, proxies, and CI images. If you containerize, plan to rebuild from fresh dotnet base images; that’s where many orgs miss security fixes.

3) Install SDK 10.0.100 and update toolchain

Standardize on .NET SDK 10.0.100 across local dev and CI. If you’re a Visual Studio shop, roll out VS 2026. On CI, pin the SDK explicitly to avoid random roll‑forwards breaking reproducibility.

4) Target net10.0 and update NuGet packages

Change your TargetFramework to net10.0. Update Microsoft.* packages to 10.x, EF Core to 10.x, and any analyzers. If you use out‑of‑band libraries (Aspire, Microsoft.Extensions.AI, etc.), move to versions tested against .NET 10.

5) Fix the obvious compile‑time and analyzer hits

Let analyzers drive the first wave of edits. Convert low‑value helpers to C# 14 features where it clarifies code: field‑backed properties, extension members, and null‑conditional assignment often retire extra lines and tests.

6) Validate ASP.NET Core behavior changes

Run contract tests for auth flows. Ensure your SPA/API clients handle 401/403 without brittle redirect logic. For SSE scenarios, add a simple endpoint behind feature flags to burn down unknowns.

7) Migrate OpenAPI and client generation

If you generate clients, regenerate against 3.1 and review nullable handling. Many generators (NSwag/Swashbuckle clients, TypeSpec pipelines) already account for 3.1; worst case, set server‑side OpenAPI 3.0 until your clients are ready.

8) Try EF Core 10 features safely

Start with read‑only experiments. If you’re adopting vectors in SQL Server 2025 or Azure SQL, prove out retrieval speed and ranking quality before touching critical paths. Test JSON columns on a single table; watch query plans and I/O.

9) Re‑baseline performance and ship

Re‑run your p95/p99 and memory checks. Verify container sizes and cold‑start times if you’re using NativeAOT or single‑file publish. If numbers look the same or better—and they often will—promote the build, then rinse and repeat for the next service.

People also ask

Is .NET 10 LTS worth upgrading now?

Yes for active products. You pick up support to November 10, 2028, get current security patches, and remove friction for future features (vectors/JSON, Identity metrics, OpenAPI 3.1). If a service is frozen and not internet‑exposed, you can wait, but plan budget and time for one migration wave across your portfolio while the team’s muscle memory is fresh.

How long can I stay on .NET 8 or 9?

Both .NET 8 (LTS) and .NET 9 (STS) reach end of support on November 10, 2026. That’s helpful breathing room, not an excuse to defer indefinitely. Use the next two quarters to move customer‑facing apps; follow with internal systems.

Do I need Visual Studio 2026 to use .NET 10?

No; the .NET 10 SDK works fine with CI and VS Code. That said, VS 2026 brings faster, smoother everyday operations and better Razor/Hot Reload reliability. If your org standardizes on Visual Studio, upgrading reduces friction for the whole team.

A candid note on risk and edge cases

• Proxies and request parsing: if you terminate TLS up front and fan into Kestrel, verify parsing consistency. Normalize Transfer‑Encoding/Content‑Length behavior at the edge and keep WAF rules tight.
• JsonConverter pitfalls: custom converters that assume single‑segment JSON reads can misbehave under PipeReader parsing—fix those or temporarily set the compatibility switch while you patch.
• Passkeys: great for modern auth, but the baked‑in Identity APIs are intentionally scoped. If you need attestation validation across a certified device matrix, plan to extend or integrate a dedicated WebAuthn library.

Let’s get practical: a 2‑week adoption plan

Week 1:
• Day 1–2: Roll SDK 10.0.100 to CI, pin images, and create upgrade branches for two pilot services.
• Day 3–4: Update to net10.0, package bump, fix analyzers, regenerate OpenAPI clients (or pin to 3.0 temporarily).
• Day 5: Validate auth flows, cookies, and SSE; add metrics to dashboards.

Week 2:
• Day 6–7: Performance runs; compare p95 latency and memory vs your baseline.
• Day 8–9: Optional EF Core 10 trials (vector/JSON) in a safe read‑only feature branch.
• Day 10: Ship the first service; schedule the rest in weekly waves.

What to do next

• Pick two services and start the branch today.
• Standardize SDK 10.0.100 across local dev and CI; rebuild containers from fresh base images.
• Add ASP.NET Core built‑in metrics to your dashboards.
• Decide now whether to pin OpenAPI to 3.0 for a sprint or upgrade your generators.
• If you maintain a central auth layer, evaluate Identity passkeys on a sandbox app.

Related playbooks and help

If your team is juggling CI changes alongside framework upgrades, our recent write‑ups can save cycles. For GitHub Actions workflow hardening and breaking changes, see what to fix and ship this week. If you want a tight, tactical checklist to move fast on the framework, read .NET 10: Your Upgrade Playbook for This Week. And if you need a partner to audit, plan, and co‑execute the cutover, our engineering services and direct contact page make it easy to start a scoped engagement.

Zooming out

.NET 10 LTS isn’t flashy for the sake of flash. It’s a release that lowers operational risk while opening credible paths to modernize—better metrics for the things that wake you at 2 a.m., safer defaults for APIs, and database features that match today’s AI‑augmented apps. Move thoughtfully, measure as you go, and you’ll end the year with fewer exceptions, clearer dashboards, and a codebase that’s easier to evolve.