We are reducing the frequency of core Commerce application upgrades in 2022 and will be providing two full patches and several security patches for versions still under Adobe Commerce Support throughout the year. See our new release calendar for timing details.
We are also reducing complexity of upgrades and accelerating innovation by narrowing the focus of full patch releases to include only security, compliance, performance, and high priority bugs. New features will continue to be released as independent services, allowing Merchants to adopt features and innovate faster; Live Search, Product Recommendations, and Amazon Sales Channel are all examples of existing independent services that enabled us to reduce complexity in the core Commerce application. Community contributions and lower priority issues will be released through the Quality Patches Tool, providing faster time to market and letting merchants choose the updates that are important to them.
We will be moving our end of support (EOS) dates to align closely with those of PHP, the third-party scripting language that Adobe Commerce is built on. Whenever a PHP version reaches its end of life (EOL), Adobe must update our code to maintain PCI compliance. Aligning our EOS dates to PHP EOL dates will help reduce the frequency and impact of PHP version changes and make it even simpler for merchants to follow the most effective path for staying current.
Reducing the frequency and complexity of patch releases means customers can reduce the time, resources, and development dollars they spend on upgrades. In addition, as we continue to release features as independent services, customers will be able to adopt these features faster, accelerating their time to innovation. To learn more about the benefits of our simplified upgrade process, visit our recent release strategy blog post.
To streamline upgrades, we will be delivering three types of releases throughout 2022.
Quality patches are a way to distribute fixes for individual quality issues outside of patch releases (like 2.4.4). Customers can easily search for and apply a specific fix appropriate for their version without contacting Support or waiting for a release. Both Adobe and the Commerce community can contribute Quality patches. Fixes provided by the community are reviewed by Maintainers before they are made available to customers. This dev blog post details this community contribution program.
Release dates can be found in our 2022 release calendar. There will be two patch releases, several security patch releases for versions still under support, and six feature releases throughout the year.
Yes, both Adobe Commerce and Magento Open Source merchants will follow the same release process and schedule.
Adobe Commerce will continue to provide security patch releases for versions still under support. To stay up to date on the latest security fixes, merchants must take the latest patch or security patch release. For example, when Adobe Commerce 2.4.5 is released in August 2022, merchants must either adopt 2.4.5 or 2.4.4-p1 (also released in August 2022) to adopt the latest security fixes. The security fixes will not be backported to previous patch releases of the 2.4 release line (e.g., 2.4.0-2.4.4). Merchants who fall behind on upgrades are at risk and have more exposure to security vulnerabilities.
Merchants will be able to receive quality fixes until their version reaches End of Support. Merchants can access quality fixes through the Adobe Commerce Quality Patch Tool or by contacting the Support team.
Most extensions will need to be updated to work with 2.4.4 or higher, given that it is based on a new version of PHP and there will be backward incompatible changes. We are taking proactive measures to ensure our Marketplace extensions stay up to date with each Commerce release.
Merchants can use a set of resources to help plan, budget, and complete upgrades like the comprehensive 2.4 Upgrade Guide and the Upgrade Compatibility Tool. The tool has now over 400 downloads, more than 2,000 executions, and +80 active users on the community slack channel (#upgrade-compatibility-tool).
A 2.4 Technical Upgrade Workshop will be held on January 26, 8am PST for customers and a recording will be available on demand under the Tutorials section of Experience League shortly after the event.
Managed Services customers can work with our Customer Engineering team for assistance with several components of the upgrade process, including analysis, upgrading cloud services, quality and user acceptance testing (QA and UAT), and production launch.
We understand that it takes time to upgrade, and we are here to support you on your path to 2.4.4. We are shifting the 2.3 line End of Support date from April 28, 2022, to September 8, 2022, to provide you with additional time to prepare for and execute your upgrade to 2.4.4.
We still encourage you to upgrade to 2.4.4 at your earliest convenience to help ensure PCI compliance and to gain access to new features that enable business growth. Being on a version with third-party technologies that are no longer supported (i.e., versions 2.3.6 and lower are based on PHP versions that have reached end of life) puts you at risk of security vulnerabilities. Review our lifecycle policy for more information on our EOS schedule and terms.
If making the move to 2.4.4 is not feasible within this timeframe, we recommend that you upgrade first to 2.3.7 by September 8, which will be a lower-level effort. We will be offering a paid extended support option for 2.3.7 for an additional year (Sept 2022 – Sept 2023) so that you can prepare for your next upgrade to 2.4.4 or higher. More details will be announced in March.
We have updated our lifecycle policy so that our version end of support dates are now aligned with PHP end of life dates. While this change is ultimately beneficial and extends the amount of time between versions that cause breaking changes, we recognize that it means a shorter support window for some customers.
We will be offering a paid extended support offering that will keep your version supported for an additional year (Nov 2022 – Nov 2023) so that you have additional time to prepare for your next upgrade. More details will be announced in March.
We recognize that you recently upgraded to or are in the process of upgrading to 2.4.3, and planning your next upgrade immediately may not be feasible. As your partner in your digital commerce journey, we will be offering a paid extended support offering that will keep your version supported for an additional year (Nov 2022 – Nov 2023) so that you have additional time to prepare for your next upgrade. More details will be announced in March.
Adobe offers a paid extended support option for Adobe Commerce versions based on PHP 7.4 (customers on Adobe Commerce 2.3.7 and or 2.4.0-2.4.3) that includes both quality and security fixes for the core application and PHP 7.4 for up to one year. This gives merchants more time to be supported as they plan and execute their upgrade to 2.4.4 or higher.
Extended support for 2.3.7 starts after 2.3 reaches End Of Support (EOS) on September 9, 2022, and can be received until September 8, 2023. Extended support for 2.4.0-2.4.3 starts after EOS on November 29, 2022, and can be received until November 28, 2023.
While extended support does include support for PHP 7.4, it is important to note that merchants may need to take additional measures to stay PCI-compliant. Adobe cannot provide support for all third-party technologies our software uses that may reach the end of life while you are on extended support. Adobe recommends that merchants work with a PCI assessor to ensure compliance.
Under extended support, security patches and hotfixes will be made available for the latest security-only patch versions only, which are: 2.3.7-p4, 2.4.0-p1, 2.4.1-p1, 2.4.2-p2, 2.4.3-p3.
For example, if you are currently on 2.4.3-p1, you must do a light upgrade to 2.4.3-p3 first in order to apply an extended support security patch or hotfix.
Payment Card Industry (PCI) compliance is a set of industry standards that all businesses that process credit card information need to follow to maintain a secure environment for their customers. Companies must keep their commerce platform and all technological dependencies up to date in order to remain PCI compliant.
While a customer is under extended support, our Customer Engineering team will continue to provide the same quality and security fixes as usual, without any scope degradations. However, customers will need to take additional measures to remain PCI compliant due to underlying platform technologies reaching end of life.
Please refer to Adobe Commerce System Requirements for a full list of tested and supported third-party technologies.
Running an unsupported version of a third-party technology may impact PCI compliance because any security vulnerability discovered will not be patched by the third party. Adobe recommends that merchants either upgrade to the latest Adobe Commerce version as soon as possible to become PCI-compliant or work with a PCI assessor to ensure compliance.
Quality fixes: You may contact the Adobe Support team for quality issues.
Security fixes: During the extended support period, Adobe Commerce will release security hotfixes on a quarterly basis for versions covered by the extended support plan. We will alert extended support customers via email when these hotfixes are available, but you may also check for and download hotfixes in your Adobe Commerce My Account section in the Marketplace portal. Outside of these releases, you may also contact the Adobe Support team for security issues.
PHP 7.4 fixes: For On-Premise customers, PHP 7.4 fixes will be delivered as downloads available in your Adobe Commerce My Account section at https://account.magento.com/customer/account/. This section will also include relevant installation and release notes. For Cloud customers, these updates will be made available automatically in your cloud instance, and you will be alerted of the update via email.
Adobe will support PHP v7.4 on Debian v9 including supporting all PECL extensions available in Adobe Commerce today. Adobe will provide regular security updates to the PHP 7.4 release through the following process:
Adobe will monitor all upstream (e.g. 8.1) releases of PHP and any security issues that are identified in those will be tested to see whether there are vulnerabilities exposed in version 7.4. If there are, Adobe will create a backport fix for version 7.4 and deliver to customers.
Adobe will also monitor all CVE that are applicable to PHP 7.4 itself. Those will also be fixed with the same level of scrutiny and testing and delivered to customers.