Skip to content

Add supported versions for Magento 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15#358

Draft
rhoerr wants to merge 3 commits intomage-os:mainfrom
rhoerr:chore/magento-2.4.9-round
Draft

Add supported versions for Magento 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15#358
rhoerr wants to merge 3 commits intomage-os:mainfrom
rhoerr:chore/magento-2.4.9-round

Conversation

@rhoerr
Copy link
Copy Markdown
Contributor

@rhoerr rhoerr commented May 9, 2026
edited
Loading

Summary

Adds the May 2026 Magento Open Source release round to the supported-version CI matrix, plus a security bump for Composer.

  • Magento 2.4.9 (new minor line, new system requirements)
  • 2.4.8-p5, 2.4.7-p10, 2.4.6-p15 (security patches inheriting services from prior patch in line)
  • Composer 2.9.3 → 2.9.7 across all entries (security)

Release date: 2026-05-12 (from Adobe's May 2026 patch round).

Draft until release day — values can be revised if Adobe ships GA notes that differ from beta1 specs.

Decisions and sources

2.4.9 system requirements

Sourced from Adobe's published 2.4.9-beta1 software-dependencies table (provided by maintainer):

Field Value Notes
php 8.4 Adobe lists 8.4 + 8.5; pinned to 8.4 to match existing convention of CI'ing the lowest supported version (e.g. 2.4.7 uses 8.3 even though 8.4 is supported).
composer 2.9.7 Adobe says 2.9.3+; pinned to 2.9.7 because composer 2.9.3 has a known security issue and the matrix is consumed as tools: composer:v${{ matrix.composer }} (setup-php requires an exact patch — a floating 2.9 constraint isn't supported).
mysql mariadb:11.4 Per existing convention, the mysql field is overloaded with the mariadb image when a release line uses MariaDB (matches 2.4.7 entries). No separate mariadb schema field exists.
opensearch opensearchproject/opensearch:3 Floating major tag, matching the format used by 2.4.8 entries (which pin a patch). Floating accepted per maintainer direction.
rabbitmq rabbitmq:4.1-management Direct from Adobe spec.
valkey valkey/valkey:8 First entry in the matrix to use Valkey instead of Redis. The schema already has first-class valkey support: build-services.ts reads both valkey and redis keys and prefers valkey when present. The redis field is omitted on 2.4.9 entries.
varnish varnish:7.7 Direct from Adobe spec.
nginx nginx:1.28 Direct from Adobe spec.
os ubuntu-latest Matches recent precedent for all entries.

EOL strategy

Entry EOL Rationale
2.4.6-p14 2026-05-12 Superseded by p15 on release day (skill rule).
2.4.6-p15 2026-08-11 Per maintainer direction: extend one quarter past the line's original 3-year window. Adobe's lifecycle docs don't publish explicit Open Source EOL dates, so this is a maintainer call.
>=2.4.6 <2.4.7 (composite) 2026-08-11 Updated to match p15's EOL — the line's effective end-of-support is being extended one quarter past the original 3-year window.
2.4.7-p9 2026-05-12 Superseded by p10.
2.4.7-p10 2027-04-09 Matches the 2.4.7 line's 3-year window from GA (2024-04-09).
2.4.8-p4 2026-05-12 Superseded by p5.
2.4.8-p5 2028-04-09 Matches the 2.4.8 line's 3-year window from GA (2025-04-08).
2.4.9 2029-05-12 Release date + 3 years (skill rule for new minor lines).

Composer 2.9.3 → 2.9.7

Pre-existing 2.9.3 references in mage-os/{individual,composite}.json and the magento-open-source/composite.json default/next entries were also bumped, since the security issue affects all of them. Bundled into this PR rather than a separate one because it's the same CVE class and same release window. Test fixture in get-usable.spec.ts updated for consistency.

Changes per file

  • magento-open-source/individual.json: bumped p14/p9/p4 EOL to 2026-05-12; added p15, p10, p5, and 2.4.9 entries.
  • magento-open-source/composite.json: extended >=2.4.6 <2.4.7 range EOL to 2026-08-11; added >=2.4.9 <2.4.10 range entry; updated bare default and :next entries to 2.4.9 services.
  • mage-os/individual.json and mage-os/composite.json: composer 2.9.3 → 2.9.7 (security only — no Mage-OS releases this round).
  • get-currently-supported.spec.ts: added test cases for 2026-05-11, 2026-05-12, 2026-08-12; updated 2027-04-09 and 2027-04-10 cases for new patch numbers.
  • get-usable.spec.ts: composer mock value 2.9.3 → 2.9.7.
  • dist/index.js: rebuilt.

Build & test results

> npm run build
  dist/index.js  495.9kb
  Done in 14ms

> npm test
Test Suites: 12 passed, 12 total
Tests:       110 passed, 110 total
Snapshots:   0 total
Time:        1.176 s

Test plan

  • npm run build succeeds (dist/index.js rebuilt)
  • npm test — all 110 tests pass
  • New test cases verify each version is supported as of release date 2026-05-12
  • Test case for 2026-08-12 verifies 2.4.6 line correctly drops off after p15 EOL
  • Pre-merge check on release day: verify Adobe 2.4.9 GA system-requirements page doesn't differ from beta1 spec values used here (PHP, composer, mariadb, opensearch, valkey, rabbitmq, varnish, nginx versions)

rhoerr and others added 3 commits May 9, 2026 14:22
@rhoerr @claude
chore(supported-version): add Magento 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4…
f899861 
….6-p15

Adds the May 2026 Magento Open Source release round. 2.4.9 introduces new
system requirements (PHP 8.4, Composer 2.9.3, MariaDB 11.4, OpenSearch 3,
RabbitMQ 4.1, Valkey 8, Varnish 7.7, nginx 1.28). Patches inherit services
from their prior patch in the same line.

- individual.json: add 2.4.6-p15, 2.4.7-p10, 2.4.8-p5, 2.4.9; bump p14/p9/p4
  EOL to 2026-05-12 (release date of new patches).
- composite.json: add >=2.4.9 <2.4.10 range; update bare default and :next
  entries to reflect 2.4.9 services.
- get-currently-supported.spec.ts: add cases for May 11, May 12 and Aug 12,
  2026; update 2027 cases for new patch numbers.
- dist/index.js: rebuilt.

Note: 2.4.6-p15 EOL set to 2026-08-11 per direction (extended one quarter
past the line's original 3-year window).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@rhoerr @claude
chore(supported-version): bump composer 2.9.3 -> 2.9.7 (security)
4fdf01d 
Composer 2.9.3 has a known security vulnerability. Bump to 2.9.7 across
all version entries that referenced 2.9.3 (Mage-OS 1.x and 2.2.x lines,
the new Magento 2.4.9 entry, and the upcoming-release fields in the
magento-open-source composite default/next entries).

The composer field is consumed as `tools: composer:v\${{ matrix.composer }}`
by setup-php, which requires an exact patch version (a floating "2.9"
constraint is not supported by that tool spec).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@rhoerr @claude
chore(supported-version): extend 2.4.6 line composite EOL to 2026-08-11
9ccef72 
Aligns the composite >=2.4.6 <2.4.7 range EOL with the new 2.4.6-p15
patch EOL (2026-08-11). Adobe is extending support for the 2.4.6 line
one quarter past its original 3-year window.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@rhoerr
Copy link
Copy Markdown
Contributor Author

rhoerr commented May 9, 2026

Generated via release skill with data from https://experienceleague.adobe.com/en/docs/commerce-operations/installation-guide/system-requirements ; inspected visually. New values should be validated upon the new versions' release on May 12th.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rhoerr