Applying Security patches on Magento 2.3

Question

We are running Magento ver. 2.3.2-p2

Due to multiple custom modules, there are no plans to upgrade upto 2.4 for the moment but I would like to have the latest security patches applied as far as feasible.

will running command

composer require magento/product-community-edition=2.3.3-p1 --no-update

be safe for us giving us just the security updates minus the actual upgrade to 2.3.3

Answer 1

1. Using the command with the --no-update flag will just update the composer.json dependencies instructions and not update the Magento code. You will have to run the composer update so that the changes from the composer.json are applied.
   
2. As per https://community.magento.com/t5/Magento-DevBlog/Introducing-the-New-Security-only-Patch-Release/ba-p/141287 you should be able (in theory) to apply the security updates only by using the above command (+ my above comment on that). You would practically be in the following scenario:

Security-only update to security-only update: In Q3’19, you upgrade your 2.3.2 instance to 2.3.2-p1. In Q1’20, you can upgrade your 2.3.2-p1 instance to 2.3.3-p1.**

However, there is a disclaimer on that:

**Note that we will do its best to support security patch release to security patch release configurations, but we will not fully validate this upgrade path as part of our patch release process.

My suggestion is to try this on a test environment and validate all critical functionalities to check this out.