As of June 2026, .NET 10 LTS is the production default. The 10.0.9 security release (June 9) — including SignalR/Blazor MessagePack DoS (CVE-2026-45591) — makes upgrades mandatory maintenance, not just feature chasing. .NET 8 and 9 support ends November 10, 2026; new services should target 10 LTS, and existing 8/9 apps need a clear plan for compatibility scans, container base images, and CI SDK pins.
The LTS window runs patches until November 2028. For retail and e-commerce backends, "skip STS, stay on LTS" still holds. On performance: JIT inlining, NativeAOT gains, AVX10.2 and Arm64 SVE — I don't upgrade without benchmarks, but measured hot-path wins are real.
AI is no longer a side project: Microsoft.Extensions.AI, Agent Framework, and MCP (Model Context Protocol) standardize agent access to APIs, databases, and tools. .NET templates can publish MCP servers; plan token budgets and fallbacks in product features, not only POCs.
ASP.NET Core 10 brings passkeys/WebAuthn, OpenAPI 3.1 by default, memory pool eviction — less operational drag on auth and API contracts. EF Core 10 vector search and JSON mapping pair with PostgreSQL + pgvector for RAG scenarios.
C# 14 field-backed properties, extension properties, span conversions cut boilerplate; the real win is review time. My upgrade checklist: dotnet list package --vulnerable + CI fail-on-high, test suite + smoke (auth, checkout, background jobs), container pin mcr.microsoft.com/dotnet/aspnet:10.0, and if AI is embedded — rate limits, cache, graceful degradation.