At the end of 2025, Adobe announced a significant change to how they deliver security patches for Magento and Adobe Commerce. Instead of the traditional quarterly patch releases (-p releases) via Composer, we’re now moving to monthly isolated patches with only one annual patch release.
On the surface, more frequent patches sounds great for security. But in practice, I think this creates a massive maintenance burden for a large portion of the community - especially agencies and teams maintaining multiple sites. And unfortunately, the cost is likely to get passed on to merchants.
What I would have preferred
My preference would have been to see more frequent Composer releases. Monthly -p releases, along with official promotion and endorsement of automated tooling like Dependabot or Renovate from Adobe. Maybe even a sample Dependabot/Renovate config.
This approach would be:
- simpler to maintain for most consumers
- more aligned with industry standards for patch/update delivery
- easier to integrate into existing workflows
I suspect the adoption of automated update tools is significantly higher than that of bulk patching infrastructure. So leaning into what teams already have makes more sense.
Building on existing solutions
Last year I wrote about patching Composer projects at scale, using a Composer meta-package and Ansible. It works well for internal and private use cases, but it got me thinking.
If this pattern works internally, wouldn’t a community-maintained, open-source version of this be beneficial for everyone?
It would:
- reduce the maintenance cost for merchants
- improve Magento’s overall security posture
- be a net positive for the ecosystem
Introducing the Security Patches Meta-Package
So I built exactly that: m2-meta-security-patches.
It’s a Composer meta-package that automatically applies all critical and isolated security patches released by Adobe. The key features:
- Automatic version constraints - patches only apply to the correct Magento package versions
- Zero maintenance burden - just add the package and keep it updated
- Dependabot/Renovate compatible - works seamlessly with automated dependency tools
- Backwards compatible - tested all the way back to Magento 2.4.2
- CI-tested - automated test suite ensures compatibility
How it works
Simply add the meta-package to your project:
composer require samjuk/m2-meta-security-patches:">=2026.02.01"From there, the package handles everything. Each patch includes appropriate constraints so they only apply where needed. You don’t need to worry about which patches are relevant for your version - it’s handled automatically.
Pair it with Dependabot or Renovate, and your store will automatically get pull requests for new patches as they’re released. Your CI runs, tests pass, merge, deploy. Done.
You’re back to having a solid, secure patching workflow without the manual overhead.
The bigger picture
I genuinely believe this type of community-driven solution can help offset some of the friction Adobe’s new patch strategy introduces.
It won’t solve every problem, but for teams maintaining multiple sites, having a centralized, tested, and automated approach to isolated patches can save significant time and reduce risk.
The package is open source, contributions are welcome, and I’m hoping it can help ease the transition for agencies and merchants dealing with this shift.
Maybe we will see this approach picked up by Adobe/MageOS or a T1 Agency in the future, allowing for even broader adoption and it to become a standard part of the Magento ecosystem.
Just a note: This is a initial release outside of my personal opinionated use case, so there may be some rough edges / oversights. And I fully welcome feedback, issues, and contributions to improve it further.
Check it out: github.com/SamJUK/m2-meta-security-patches