Security Tip: Do You Have an Upgrade Plan?

What versions of PHP and Laravel are you running?

In less than 2 weeks, Laravel 10.x will no longer be supported!

In less than 12 months, PHP 8.1 will no longer be supported!

If you're using Laravel 10.x or PHP 8.1, or any older versions, do you have an upgrade plan? If not, stop reading and go make one now!

Now that you have your plan, schedule it in, and go make it happen!

I was tempted to leave the tip there, but I thought it would be useful to explain why it's so important, by talking about the release cycles that Laravel and PHP follow.

Both Laravel and PHP follow a fixed release cycle, although with different cadences. Immediately after a major version is released, bug (and security) fixes are provided for a fixed period of time, and after than only security fixes are provided for an additional period. From that point, the version is no longer supported.

Bug fixes include fixing any discovered bugs issues, refining recently released changes, etc, and in the case of Laravel, adding new non-breaking features. It also includes fixing any discovered security issues and weaknesses.

Security fixes only includes fixing discovered security issues and vulnerabilities within the codebase. Issues that pose a risk to apps that can be fixed without breaking changes. These are usually backported or patched from changes in newer versions, and focused purely on closing a vulnerability.

Any security issues discovered after security support ends are not fixed in unsupported versions. If your app is running an older version of PHP or Laravel that is no longer supported, and a vulnerability is discovered, your app will be vulnerable!

Laravel provides bug fixes for 18 months, and security fixes for 2 years.

• Laravel 10
  • Released on 14th February 2023
  • Bug fixes ended 6th August 2024
  • Security fixes until 4th February 2025 (less than 2 weeks away!)
• Laravel 11
  • Released on 12th March 2024
  • Bug fixes until 3rd September 2025
  • Security fixes until 12th March 2026
• Laravel 12
  • Sometime Q1 2025
  • Bug fixes until Q3 2026
  • Security fixes until Q1 2027

PHP provides bug fixes for 2 years, and security fixes for 4 years.

• PHP 8.1
  • Released 25th November 2021
  • Bug fixes ended 25th November 2023
  • Security fixes until 31st December 2025
• PHP 8.2
  • Released 8th December 2022
  • Bug fixes ended 31st December 2024
  • Security fixes until 31st December 2026
• PHP 8.3
  • Released 23rd November 2023
  • Bug fixes until 31st December 2025
  • Security fixes until 31st December 2027
• PHP 8.4
  • Released 21st November 2024
  • Bug fixes until 31st December 2026
  • Security fixes until 31st December 2028

Here are the official release support policies:

• https://laravel.com/docs/releases#support-policy
• https://www.php.net/supported-versions.php

If you found this security tip useful, subscribe to get weekly Security Tips straight to your inbox. Upgrade to a premium subscription for exclusive monthly In Depth articles, or drop a coin in the tip jar to show your support.

When was the last time you had a penetration test? Book a Laravel Security Audit and Penetration Test, or a budget-friendly Security Review!

You can also connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.