2.3.3 introduces 75 critical security fixes a range of fixes and some new features focussing on performance improvements. The big reason clients should upgrade here is for the security and compliance. For European merchants this new released adds PSD2 compliance for core payment methods (more information here).
Performance improvements have been tackled in two ways by Magento. The first introduces the deferred loading of non-critical CSS elements helping the frontend performance of the platform. The second is through breaking up the jquery/ui library into widgets to only load the necessary pieces, increasing the performance of category, configurable product, home and checkout pages.
The technology stack support has been updated to support PHP 7.3 and also Varnish 6.2.
In addition to version updates for Amazon Pay, dotdigital, Klarna and Vertex, Magento 2.3.3 has added Yotpo as a core bundled extension allowing customers to leverage the power of Yotpo to gather User Generated Content.
Holiday Period Code Freezes
Here at Absolunet we definitely recommend our clients implement a strict code freeze anywhere from 4-6 weeks out from the holiday period (blackfriday onwards). This ensures we have a stable platform for the holidays not requiring any downtime for new features, hotfixes or patches.
For all merchants on 2.2.x we recommend updating to 2.2.10 as soon as possible to get those security fixes in prior to the holiday period while all 2.3.x clients should be looking to apply the 2.3.2-p1 security patch while reviewing the large 2.3.3 update post holidays.
The 2.2.10 update also provides support for PHP 7.2. As PHP 7.1 will be deprecrated on December 1st, this gives merchants some more breathing room to get that 2.3.3 update applied before December 31st when Magento 2.2 is being deprecated.
New Security Patching Process
In order to reduce the overall total cost of ownership (TCO) of Magento 2, Magento has released a new way for customers to maintain a secure platform, without necessarily getting all the new bells and whistles.
Further details on the process can be found on the Magento DevBlog but starting with Magento 2.3.2 and above (not supported for versions 2.2.x or below) security patches will be released which target only the vulnerabilities. This allows customers to maintain a secure website and their PCI compliance.
These security patches do not include addition bug fixes or new features though, so clients wanting to patch other aspects of their site will need to upgrade to the latest version.
Author: Christopher Brabender, Director, Magento Practice at Absolunet.