DEV Community

Cover image for Magento Security-only Patch Releases
Rafael Corrêa Gomes
Rafael Corrêa Gomes

Posted on • Edited on • Originally published at blog.rafaelcg.com

Magento Security-only Patch Releases

With just under 50% of digital merchants reporting some kind of security breach, and online fraud growing at a faster rate than online sales, security is more important now than ever before. Gartner reports that by 2020 companies that are digitally trustworthy will generate 20% more online sales than those that are not.

Magento's model for delivering open and customizable software introduces a particular challenge. ZDNet found that 83.1% of Magento Commerce and Magento Open-source sites that reported hacks were running on outdated versions. While we emphasize security in every release, it is imperative that merchants keep their stores current to leverage those enhancements.

Now you have the option to take a lighter security-only patch release when you need to, which lets you remain secure for as long as six months before picking up a full release.

Security patches use the Composer naming convention 2.3.3-px. Use Composer to specify a patch. For example, to download the Magento Commerce 2.3.2-p1 meta-package you can use:

composer require magento/product-community-edition=2.3.3-p1
Enter fullscreen mode Exit fullscreen mode

Magento security-only patch release

Here are a few examples to help illustrate your options:

Example 1 – A full upgrade:

In Q3’19, you upgrade your 2.3.2 instance to 2.3.3.
In Q1’20, you can upgrade your 2.3.3 instance to 2.3.4.

Example 2 – Security now, full service later:

In Q3’19, you upgrade your 2.3.2 instance to 2.3.2-p1.
In Q1’20, you can upgrade your 2.3.2-p1 instance to 2.3.4.

Example 3 – Security now, then the functional change you really need:

In Q3’19, you upgrade your 2.3.2 instance to 2.3.2-p1.
Between Q3’19 and Q1’20, you upgrade your 2.3.2-p1 instance to 2.3.3 to get access to the quality updates.
In Q1’20, you upgrade your 2.3.3. instance to either 2.3.4 or 2.3.3-p1, depending on the complexity of the upgrade you want to take on.*

Example 4 – Security-only update to security-only update:

In Q3’19, you upgrade your 2.3.2 instance to 2.3.2-p1.
In Q1’20, you can upgrade your 2.3.2-p1 instance to 2.3.3-p1.**

What do you think of this update? I liked the new way to keep my clients with the last security updates until be able to upgrade to the last Magento version including all the new features, let me know your thoughts in the comments below.

References:

Introducing the New Security-only Patch Release

Devdocs: Upgrade to a security-only patch release

Top comments (0)