We have previously reported on the Magento 1 end of life, and the end of life of Magento 2.0, 2.1, and 2.2. Now, as we approach the end of life of Magento 2.3, it’s time to take a look at what’s happening, when, and how your business should prepare.
Looking back in time, Magento 2.3 was initially released in November of 2018 and was expected to receive support until the end of 2021. At first, that support window was extended to April 2022. Then, in January 0f 2022, Adobe announced another extension, providing support for Magento 2.3 until September 8th, 2022.
Adobe has stated that this latest extension is intended to allow merchants to upgrade directly from 2.3.x to Magento 2.4.4, which was scheduled to be released in March of 2022, but has since been delayed until April 12th, 2022.
In order to keep Magento 2.3 secure during the extended support window, Adobe has added to its security patching schedule. They now expect to release both a 2.3.7-p4 and a 2.4.3-p3 patch in August of 2022.
Why isn’t Adobe continuing to support this version of Magento?
Magento 2.3 has dependencies like PHP 7, which are also approaching end of life. In fact, PHP 7.4 will no longer be actively supported in 2022, and will only receive security updates through Nov of 2022. That means PHP 7 will no longer release further quality improvements or bug fixes during that time. Sites using end-of-life software are no longer PCI compliant. As we’ve discussed in previous blog articles, running unsecure software in your Magento hosting environment is a major risk for your business, employees, and customers.
What’s Different in Magento 2.4?
If you’d like to get a look at what was added in versions of Magento 2.4, we’ve shared highlights after each release, including:
… but if you want a quick summary, here are some of the most important additions:
Magento 2.4 is built to leverage newer versions of PHP, Elasticsearch, MySQL, MariaDB, Redis, Composer, and so forth. In Magento 2.4.3, Page Builder was finally made available for Open Source Users. In general, there have been updates, additions, and improvements related to everything from GraphQL, to ReCaptcha and Two-Factor Authentication. While these updates are mainly iterative, Magento 2.4 is better equipped to handle a variety of scenarios, such as large product catalogs and headless commerce integrations.
Is Upgrading from Magento 2.3.x to 2.4.x a minor upgrade?
While it’s not as cumbersome as upgrading from Magento 1 to Magento 2, it is generally not a quick update. Since this new version of Magento is built to work with different versions of PHP, Redis, Varnish, and MySQL, we highly recommend that JetRails clients coordinate with our team to provide a staging environment that’s specifically tuned for M2.4 before attempting the upgrade.
When should we expect Magento 2.5?
You should not expect it anytime soon. In fact, the Adobe team has suggested that, since 2.4 is quite stable, they plan to keep iterating with it rather than pushing out major version upgrades for the foreseeable future. While multiple updates for Magento 2.4 are scheduled for release in 2022, there is no plan to release Magento 2.5 this year.
While the concept of planned obsolescence is common in the tech world, the Adobe team is going in a different direction. They’ve consistently heard from the community that site owners want to be able to operate with less maintenance work and less to debug. In response, they’ve been slimming Magento’s core by removing vendor bundled extensions (ie. core bundled extensions), like payment gateways, sales tax management solutions, and digital marketing suites. Rather than have excess code, website owners can simply choose the integrations that they want from the Magento Marketplace, and install them.
This footing of continuing to focus on optimizing the current platform is expected to minimize maintenance costs while providing more predictability for merchants.
Can you stay PCI Compliant on Magento 2.3.x?
While you should discuss this with your PCI security assessor, the short answer is “No”. Not once it’s deprecated by the Adobe team. PCI rules require that you “Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.”
With no vendor providing patches for Magento 2.3.x, you wouldn’t be able to meet this standard. There won’t be a vendor tracking vulnerabilities and providing you with patches to install.
If you need a dev server to work on upgrading to Magento 2.4, our team is here to help. Similarly, if you need development work, we partner with the best Magento agencies in the world and would be happy to help you find the development team that’s right for you.