How to Backport WooCommerce Security Patches Using Git and Composer

We all love the idea of staying up-to-date with software, ensuring the latest features and security patches are available. From time to time though, business requirements may keep us at a specific, tested, version of software. It is not uncommon to find mission critical apps stuck in an older version due to customizations and testing specific to that version. What do you do when an important security fix comes out that? Backport the patch! 

I am going to walk you through a case study on how we backported security patches for WooCommerce 3.6.5 to a required 3.5.6.

WooCommerce 3.6.5 introduced two important security patches:

  • Security – Introduce file type check for tax rate importer.
  • Security – Added nonce check to CSV importer actions.

Finding the patches

The process for obtaining the patch code can be onerous. It involves finding the specific commits with patch code in them. How you do that will be different for each projects. I always recommend starting with the changelog to see what info can be gleaned. If the project is on Github and Milestones are used that can be an easy place to find the commits that went into the release. Then you have left to search through the commits to find the code. 

Searching through the commits can be tedious. To help quicken the process, find two commits you know the patches are between. In this case we know 3.6.4 did not have the patch, so we can safely start looking there. 

Git has a built in command to view commits between two hashes:

git log 917af529204a7059e5123e0406e43b93a9331f40 2a9cab7be3c183fbb781b141fa45946341087e66 —oneline<br>

This instance returns 31,965 commits! That would take a generation to search through manually!

Next I turned to searching for keywords in commits and commit messages to find related commits and piece them all together. Here are the commits I located:

Creating the patch files

Armed with the commit hashes, we can now set out to create patch files. Yes, at this point we could use git cherry-pick, but that can get messy to maintain, especially if you incrementally update later. Patch files are clean and can be imported any time. We will automagically apply patches later via composer.

Git has a built in command called format-patch to assist in patch file generation. 

Here is an example utilization:

`git format-patch -1 <COMMIT-HASH>`<br>

The -<n> tells git how many commits back to use, in this case just one. If you wanted the last 10 commits from `master` it would look like:

`git format-patch -10 master`.<br>

Our patch files will be generated with the following two commands:

`git format-patch -1 737f6af5e8af27ae768d087e84c0303d8059281a`


`git format-patch -1 cabf9de71aa7f321e68dfeaf6000af2b45eeaba9`

Those will generate the following files in the current directory:

  • 0001-Introduce-file-type-check-for-tax-rate-importer.patch
  • 0001-Added-nonce-check-to-CSV-importer-actions.patch

It is worth mentioning here, you may run into issues with functions, files, etc that exist on the latest version that are not on the older version. Meaning, the patch may not apply cleanly. If this happens it is up to you to edit the patch until it works.

Applying the patch files – manual method

Git makes it incredibly easy to apply patch files with the `git apply` command. Our files are applied with the following commands:

`git apply 0001-Introduce-file-type-check-for-tax-rate-importer.patch`


`git apply 0001-Added-nonce-check-to-CSV-importer-actions.patch`<br>

This method works great locally for testing, but you will likely need something more automated for deployments. Bring on the power of composer!

Applying the patch files – automatically with composer!

We use composer, so it made sense to us to use composer to apply patch files automatically for us. 

Cameron Eagans wrote a great composer plugin that applies patches for us called composer-patches

To use it, add `cweagans/composer-patches` to your project:

`composer add cweagans/composer-patches`<br>

Now open the `composer.json` file with an editor. We will be adding a section in `extra` called `patches`, where a description and path to the patch files will be placed.


  "require": {
    "cweagans/composer-patches": "~1.0",
    “Woocommerce/woocommerce": “3.5.6"
  "config": {
    "preferred-install": "source"
  "extra": {
    "patches": {
      “Woocommerce/woocommerce": {
        "Introduce file type check for tax rate importer": "0001-Introduce-file-type-check-for-tax-rate-importer.patch”,
	"Added nonce check to CSV importer actions”: "0001-Added-nonce-check-to-CSV-importer-actions.patch"
   "composer-exit-on-patch-failure": true

That’s it! Go run `composer install` and your patch files will be automagically applied.