Zend Framework 2.5.x Support Status


#1

Hi Folks, trying to determine the support status for 2.5.x, i understand the 2.4 LTS support ended few months ago, but not entirely sure if 2.5.x will still receive security updates if yes than for how long. Sorry for posting here but i couldn’t find the information anywhere else.
Cheers


#2

We’re working on our support policy currently. The proposal, which is likely what we will publish, is as follows:

  • Components will receive 1 year of security and critical bugfixes on the last minor version of a release after a new major version is issued. (Critical bugfixes are defined as those fixing BC breaks introduced with the last minor release.) We will continue to provide security fixes indefinitely or until we announce EOL on a component if no new major release is created.
  • Skeleton applications and their direct dependencies will not receive a new major release for a minimum of 2 years. Once a new major release is made, the previous release and its direct dependencies will continue to receive security and critical bugfixes for 2 years following the new major release.

We are still working out details, so if you have any feedback on the above, please feel free to contact me.


Zend Framework 2.x LTS status
#3

Thanks for your response and just to be clear is it right to draw the conclusion from above statement that 2.5.x will no longer receive security updates as of now (given the current proposal).


#4

Version 2.5 is a metapackage; it requires all the components that made up the previous releases of ZF2.

Many of those components (the majority, actually) are still in v2 releases. Others got bumped to v3 with the ZF3 release (e.g., zend-mvc, zend-eventmanager, zend-servicemanager, zend-stdlib, etc.). Interestingly, v3 was far more than 2 years following v2 (between 4 and 5 years after 2.0 dropped), and, at this time, has been out for almost two years, meaning that, under this policy, any v2 releases of components with a v3 release would be falling out of LTS anyways. (Interestingly, however: we released new v2 versions of zend-mvc and a few other components recently to provide PHP 7.2 support, which we considered critical while people complete their upgrades to ZF3. Technically, this would have been required by an LTS had we had the above policy in place; the policy is essentially codifying what we already do.)

This means that the majority of our components are still receiving both bugfix and security updates, as they do not have v3 releases. Most are still receiving feature releases as well! If you look at the components making up ZF, almost every single one has received at least one new release in the past month, in large part due to an initiative we just completed to ensure all of them work properly on PHP 7.2.