samjuk / m2-meta-security-patches
Composer meta-package that applies critical and isolated security patches for Magento 2 / Adobe Commerce, released by Adobe
Package info
github.com/SamJUK/m2-meta-security-patches
Language:Shell
pkg:composer/samjuk/m2-meta-security-patches
Requires
- vaimo/composer-patches: >5.0
This package is auto-updated.
Last update: 2026-07-16 08:45:25 UTC
README
This repository contains a Composer meta package for applying security patches to Magento 2 / Adobe Commerce installations. The package aggregates Adobe's isolated security patches and emergency out-of-band patches, protecting your store against known vulnerabilities and CVEs without manual patch hunting.
Scope: Community Edition (CE) only. EE/B2B is not currently supported — see Isolated Security Patches below.
The primary reason for using a meta package is to simplify the management and application of multiple security patches. Instead of applying each patch individually to each project, you can install this meta package, which will automatically include all the necessary patches.
Future updates can be handled automatically via Dependabot or Renovate, ensuring that your Magento 2 / Adobe Commerce installation stays up-to-date with the latest security fixes without the manual overhead and cost.
Requirements
- Magento 2.4.2+ (see test-matrix.json for full compatibility)
- PHP 7.4+ (version depends on Magento version)
- Composer 2.x
List of Included Security Patches
We break down the included security patches into a few groups:
Isolated Security Patches
These are the new approach to regular security updates provided by Adobe.
Isolated patches are non-cumulative and must be applied in sequence. Each monthly patch is built against, and will only apply to, the latest patch release of its line at the time it was issued (e.g. 2026-07-001 for the 2.4.8 line only applies to 2.4.8-p5, not p4 or earlier). If you're behind on patch levels, catch up first — the patch won't apply otherwise.
- 2026-07-001 (CE) - Adobe Commerce monthly isolated security release, July 2026. CE-only; EE/B2B variants not currently included in this package.
For detailed information on each patch, see the patches in src/patches/isolated/.
Emergency Security Patches
These patches address critical vulnerabilities out of band security issues that require immediate attention:
- CVE-2024-34102 - CosmicSting vulnerability affecting Magento 2.4.7 and earlier
- CVE-2025-54236 - Session security vulnerability
- APSB25-94 - Polyshell vulnerability affecting Magento 2.4.9-alpha2 and earlier
For detailed information on each patch, see the patches in src/patches/emergency/.
Installation
To install the meta package, use Composer by running the following command in your Magento 2 root directory:
composer require samjuk/m2-meta-security-patches:">=2026.02.01"
The patches will be automatically applied during installation via vaimo/composer-patches.
Restrict patch sources (recommended)
By default, vaimo/composer-patches allows any dependency to declare patches, which is a supply chain risk — a compromised or malicious package could silently patch your codebase. Restrict patching to only this meta package:
composer config --json "extra.patcher" '{"sources":{"packages":["samjuk/m2-meta-security-patches"]}}'
This writes the following to your root composer.json (merge manually if extra.patcher already has other config, since the command above overwrites the whole key):
{
"extra": {
"patcher": {
"sources": {
"packages": ["samjuk/m2-meta-security-patches"]
}
}
}
}
Versioning
The versioning of this meta package follows date based versioning to indicate the release date of the included patches. For example, a version 2024.10.15 indicates that the package was released on October 15, 2024.
Development
To contribute to the development of this meta package:
- Clone the repository
- Make your changes in the
src/directory - Add or update patches in
src/patches/ - Update
src/composer.jsonwith patch configuration - Run tests locally with
sh tests/test.sh(requires Docker) - Submit a pull request
Testing
Automated Testing
Full E2E tests are run via GitHub Actions:
- On master/main commits: Tests run automatically on every push
- On pull requests: Add the
run-testslabel to trigger the test suite
The test suite validates the package installation across multiple Magento versions and PHP versions (see test-matrix.json for the complete matrix).
Local Testing
You can run the full test suite locally with Docker:
sh tests/test.sh
This will test the package installation across all supported Magento/PHP version combinations. Be aware, this can take a significant amount of disk space and time.
Contributing
- Fork the repository
- Create a feature branch
- Make your changes
- Ensure tests pass locally
- Submit a pull request