Determining what browser versions to block

When setting this module up, I arbitrarily chose the first releases of 2020 to be the oldest version to block. This wasn't based on any data other than I frequently saw these listed versions in the access logs for sites getting hit by bots. I initially started with Chrome 80, and that's around when it came out. So I applied that to the remaining browsers. But I'd like to get a better idea of what browser versions are likely being used by bots Versus real people.

I very unscientifically polled my family (who aren't exactly technophiles), and generally they seem to be using either Chrome or Edge, and either versions 137, or 135 (one lagger). This isn't surprising in this age of automatic updates.

Now I'm looking at a period of data from a site that was getting hammered by bots. The logs are from the previous 8 months (ending June 10th, 2025), but the bot traffic jumped tremendously over the last couple. I parsed this data via goaccess, and exported a CSV report. I then had ChatGPT separate out the major version groups for me, and this was the result (side note, I know traffic was greater than this, more in the 600k views range, so this may be counting sessions, not requests, which makes sense).

The version of Chrome that was out at the start of this data was 129, and that makes up about 3.42% of the total number of Chrome specific requests. So that makes sense. 131 has a disproportionate showing, but that was available for over double the amount of time until the subsequent release, so that may explain it. Also as expected, the latest two versions of Chrome also have a large representation - albeit should it in relation to versions whose lifetimes were also encompassed in the report?

No doubt a large number of bots causing the recent problems, were set up recently, using recent versions of browsers. But still, if I add up all the traffic from all previous versions of Chrome, two releases before the start of the log data, it's 60% of the total Chrome traffic overall. Other notable mentions are Chrome 58 (2.53% - released April 2017), 80 (4.14% - released Feb 2020 - Also what I pick randomly before, as I was seeing this appear in the logs a disproportionate amount).

The more I think about this, the more I see the issue of updating versions to block as an issue. Maybe the configuration should be "X number of versions behind current" to block? But then we would need to make frequent releases to update the version tracked in the module, which I don't really want to do. Otherwise we would need to programmatically determine the latest version of every browser, based on some API, which seems possible, but I'm also hesitant to build a dependency on an external service like this in general.