As an agency supporting many customers on Magento 2, it’s paramount that we have a solid, scalable solution to keep customers up-to-date with the latest security patches.
What Magento Recommend
Magento have a documented process in ‘Creating a patch for a Magento 2 Composer installation from a GitHub commit‘ which works great for single module patches. We hit some issues trying to adopt the official Magento 2 patches Eg PRODSECBUG-2198 as this spans multiple core Magento modules therefore this will fail.
Bridging the gap to automation
We have produced a Magento module incorporating a patch library for Magento 2 which solves this problem, by breaking all patches into module specific sub-patches and added a command line interface so that all core Magento 2 patches can easily be configured and applied. The CLI will also determine which version of the patch needs applying and report all available patches applicable to your version.
How?
If you would like to see an example the latest PRODSECBUG-2198 patch and how it can easily be applied please checkout the doc on our Magento 2 Patches Module
We plan to freely maintain this and keep it available for Open Source therefore if you have suggestions or feedback please reach out.
Simplify process – lower your costs!
We took this one step further and incorporated this ability into MDOQ, allowing customers to patch their own stores. MDOQ de-skills many Dev-centric tasks so that platform maintenance and support can be achieved far cheaper than the typical agency fee’s. Applying Magento patches is just one task of many which no longer need developer input thanks to MDOQ.