Adobe knows that security for your digital storefront is always top of mind and with just cause. As mentioned in our post “Secure Your Storefront With the Enhanced Magento Security Scan Tool,” the average cost of a data breach is $3.86 million, and 82% of eCommerce stores that had malware were running an unsupported version of the product. And, of course, that’s only the financial impact of a security incident, as negative publicity, frustrated customers, and more can seriously set back your business for months or even years.
With this in mind, in Q1 2021 we are instituting a new quarterly upgrade policy for merchants that are not yet on the latest Magento version (2.4) yet still on a supported version of Magento Commerce or Magento Open Source (currently 2.3). This new policy is intended to make implementation, planning, and security easier for Magento merchants, while providing your team with more options on how and when to upgrade your Magento site. The Magento lifecycle policy has been updated to reflect this policy change.
Overview of the New Software Lifecycle
Adobe’s new approach for Magento releases will continue to focus features, quality, and security updates into the current minor release, as of today, the 2.4 minor release. Going forward, other supported minor versions (as of now, 2.3) will split quality and security improvements into two distinct processes. Security will be deployed via the quarterly patch release as it has in the past, but select quality fixes will only be available via the new Magento Quality Patch tool. This will make the upgrade process faster and more flexible, allowing you to upgrade to the latest security patch, using the traditional quarterly release cadence, and having quality fixes important to you available via the new MQP process.
How Will this Work?
Under this updated policy, upon release of a new minor version like 2.5, the previous line (in this example, 2.4) will move to security-only updates. High impact quality issues that break core flows will be delivered to the previous line (2.4) through Magento Quality Patches (MQP). As is customary in our security-only line, hot fixes will be included in the quarterly release that are high impact and affect a large amount of merchants. Lower impact quality issues will not be made available on the previous supported line (2.4) and will only be addressed in the latest line (2.5) through our standard quarterly patch. Our recommended best practice is that merchants limit the use of MQP on the previous line to ensure an easier eventual migration to the most current version.
Why Is Adobe Making this Change?
The new policy is intended to create pathways for merchants to plan strategically for annual ecommerce development costs, while allowing them to maintain security and critical quality during these strategic cycles. It can also be utilized by those who prioritize security and are generally happy with the stability of the older supported line. Merchants may find it easier to plan and budget for these upgrades as they do not include new features and major changes to functionality.
When is this Taking Place?
Magento 2.3.6, slated for October 2020, will be the last quality + security line for 2.3.
After 2.3.6, the 2.3 line will move to security-only updates and critical quality fixes will be available via MQP. Our 2021 release calendar is up-to-date. Please do note that in Q2 we are incrementing the 2.3 line to 2.3.7 due to a mandatory compliance upgrade of PHP 7.4. Read more about that here. After Q2, the 2.3 line will move back to security only updates supporting PHP 7.4.
How Should Merchants Now Plan for Magento Releases?
Ultimately, all Merchants should still prioritize adopting the latest Magento line in a timely fashion. The new policy and MQP tool are not intended to replace the strategic upgrade plans for merchants; rather, they offer flexibility for merchants in planning their upgrade roadmap and a means to react quickly to security/quality issues without having to implement an entire upgrade.
More detailed information about this new policy can be found here.
As we approach the Q1 2020 release of Magento 2.4.2, when this policy will go into effect, we will continue to provide more detail on how our merchants can adapt and evaluate all options for staying secure with Magento.