We are looking to reimplement a product build on 7.2, and have had success installing 8.9 and running some of the older modules using the Legacy structures. The CTO and Security team have raised the question about whether running legacy in SuiteCRM8 has vulnerabilities which have not been patched. I assume not, but I cant find a definitive “Running Legacy code is safe and secure” post anywhere.
Can I assume that running any V7 legacy code has the same patch level as creating a module in SuiteCRM8.x? Is there a page I can point to?
Hello Dave,
there are the security fixes which are released along with the standard releases:
And there are policies around security issues:
They are split up - for the legacy code, they usually are reported / patched in both versions.
If it’s just Suite8 (so mainly Angular / GraphQL etc.) then it would only affect (report / patch) in the Suite8 branch.
If you have old custom code, you’d mostly need to get it to match the current PHP versions and develop in a safe manner (OWASP, etc.) internally.
If your codebase is that old, it makes sense to reevaluate your tech stack.
Is Angular nowadays a better approach? Do you need another front-end or can you build sth. on a different / easier back-end?
1 Like
Yes, check out the 
Security sections in the release notes.
1 Like
Thanks BastionHammer!
Yes, it is that old and we are evaluating everything. We’ll be updating all the PHP versions, and some of the custom code will actually be redeveloped completely. Since the Legacy is enough to get us going, we can then evaluate each customisation. We’ll look at what need to be redeveloped, dumped, built and integrated, etc as part of the process, but it would be an option if V7 code wasnt security patched when running under legacy.
Thanks rsp! I did find the links to patch info, but I was unclear on whether the “legacy” code was patched at the same\better level as anything in V8. I was very confident, but I have steering committees who are in a default “no” mode until they get crystal clear.