This shouldn't come as a surprise to anyone who's been paying attention, but we want to be clear about it: as of this month, we are no longer providing security patches or releases for Concrete CMS version 8.
For the first time, our latest v9 security release was not ported back to v8. That line in the sand we've been talking about for a while? We've crossed it.
This Has Been a Long Time Coming
We've been signaling this for years. Here's a few links:
- May 3, 2022 - Security Support for Concrete CMS 8.5.x continues through end of 2022
- July 5, 2022 - Upgrade to Concrete v9 and PHP 8+ before November
- August 19, 2022 - Security support for Concrete v8.x
- November 15, 2022 - How to keep your Concrete v8.x site safe after Nov 28th!
- October 24, 2023 - Concrete Versioning and Support Updates
- May 6, 2024 - Version 8 extensions to be removed from the marketplace
Throughout that period, we continued porting security fixes to v8 even after we'd technically said we would stop. We wanted to give people as much runway as possible. But maintaining two major version lines indefinitely isn't realistic for a team our size, and every hour spent backporting patches to v8 is an hour not spent making v9 (and what comes next) better.
What This Means for You
If you're already on v9: Nothing changes. You're on the supported line and you'll continue receiving security updates and new features.
If you're still on v8: Your site will keep working. Nothing breaks overnight.You will no longer receive security patches from us, which means your exposure to vulnerabilities will grow over time. We strongly recommend planning your upgrade to v9.
The v9 upgrade path is well-documented, and if you're on our SaaS hosting, we can help make the transition smoother. If you need hands-on migration assistance, reach out to us. If we can't help ourselves, we can help you find a partner who will match your budget and timeline for sure.
Why Not Just Keep Backporting?
Fair question. The short answer is that it's unsustainable. Every security fix requires separate testing, separate QA, and separate release engineering for each major version we support. v8 and v9 have real architectural differences — these aren't trivial cherry-picks.
We kept it going longer than we originally planned because we know how many sites are still running v8 and we didn't want to leave anyone exposed. But at a certain point, continued v8 support actively slows down our ability to move Concrete forward, and that's not good for anyone.
What's Next
Our full focus is on the v9 line and beyond. Monthly releases continue as always. If you've been putting off the upgrade, now's the time.
If you have questions, hit us up in the forums or reach out to PortlandLabs directly.