Updating neos to stay secure

I see mention of various version updates, and even security patches. I’d like to keep my installation secure… Is there a tutorial somewhere explaining how to keep Neos patched?? TIA…

Hey Michael,

the upgrade process is basically a simple composer update followed by flushing caches for bugfix releases (and most minors). We follow SemVer, so applying bugfix releases should be safe in most cases. But of course we are not completely safe from accidential regressions (as the previous bugfix release of Flow 4.3.18-5.3.3 showed). In those cases you can safely go back to the previous bugfix release version, by pinning the composer dependency, until a fix for the regression is provided (e.g. Flow 4.3.19-5.3.4).

Also, each release (minor/major) which requires changes to code or database schema, contains migrations (as far as possible), so you should execute those (./flow flow:core:migrate and ./flow doctrine:migrate)

However, there is also a detailed instruction manual for all minor and major version updates to date, containing descriptions on the most important breaking changes:

Our recommendation in regards to update policy is, that you should follow updates one minor version after another, optimally as regularly as possible. No single upgrade will ever mean you will lose support lifetime, as per our release policy - opposed to some other projects where going from one LTS release to the next version could mean you run out of bugfix/security support earlier.

Under some circumstances, it might be plausible to directly go to the next higher major version, skipping minor upgrades (since migrations of skipped minors will be applied still). Be aware though, that this potentially means you have more things to manually adjust in your code base at once.

Hope this helps :slight_smile:

1 Like

IN a (CentOS) machine where composer was only added to install NEOS - where does Composer live? when I try to run it from my home folder it says 'command not found"…


Please create a new thread instead of hijacking old (dead) threads.

Composer is something you install yourself on the server, if it does not come with the distrobution


1 Like