Now we have CakePHP 4, but there are still lots of legacy sites that work with version 2. How long will it be safe to use? I guess it’s very stable and therefore it should stand the test of time quite well? I do not mean that it gets updates, but some security fixes still (one year or so?)…
What do you think?
Yes, you have right, the ONLY stable version that works well is CakePHP 2, so i remain a big fan.
In CakePHP 3 everything is so slow (on the same platform), that for me is unusable.
When CakePHP 4 was lounched, i was very glad to test it, but only some minutes.
In CakePHP 4 also the first query on Postgres with a field created that is a timestamp without time zone, breaks everithing, and nobody helps me from a few months. The Core don’t recognize the type timestamp without time zone. Yes, also at me, MySQL is on the front, but some projects us Postgres, that can not be ignored. That mean, that CakePHP 4 don’t pass my first testing step.
@marko The time frame for 2.x support are mentioned here https://github.com/cakephp/cakephp/wiki#2x-security-mode
Thank you ADmad and cielo2. So version 2 support timeframe is now: “Release security fixes for June 15 2021 ( 18 months after 4.0.0).”
But I guess it will be stable and secure some time after that also (it’s not Wordpress, though. I don’t mean to criticise any platforms, but they are different…).
What do you think using old framework versions? Is it a security risk?
it is always a risk, thats why they were upgrades… server need to be upgraded too, but it cant if the software it host can only run on the old version of setup… means server have to remain ‘behind’, and exposed to risk as old server always ‘invite’ hackers… 
Thanks for your input. Yes, that’s true, but I meant servers that are up to date. E.g. CentOS 7 has security updates up to June 30th, 2024. So they will patch PHP and other software even if they are “older versions”. It is “enterprise Linux” type scheme.
So my question actually is: if server is “ok”, is Cakephp 2 security risk to use?
It’s an impossible question to answer. There are no known security problems with v2, or they would have fixed them. You’re basically asking whether there are any unknown security problems that might be discovered after v2 stops being maintained. Unknowns are by definition unknown.
to be safe, it still ok while it is still being maintained, and we follow all best practises in secure programming…
but the moment they stopped any new release for 2.x, time to make a move…