Scaffolded Visual Studio Project for SC2025-004 hotfix

Hotfixes are important to fix security vulnerabilities and it is good to apply them as and when Sitecore makes a hotfix release to protect your higher environments from external attacks. There are usually two types of hotfixes. One is plainly called hotfix while the other is cumulative hotfix. Understandably, cumulative hotfix has multiple fixes bundled together. For example, The  security bulletin SC2025-004 has 2 hotfixes - one for Sitecore XM/XP as well as another for SXA, which is a cumulative fix. In other words, if you have a Sitecore SXA instance, irrespective of your Sitecore version, you must first apply the Sitecore hotfix and if you have the SXA module, based on your  SXA version, you must apply the SXA-related cumulative hotfix on top of the Sitecore hotfix. 

There are two methods to apply the hotfix, irrespective of if it is a cumulative or a one-off hotfix. 

1. Visual Studio project publish

2. Sitecore package installation

While approach-2 is easier, this approach can't be maintained in a version control system. In other words, you need to maintain a checklist so that the step can be diligently followed in each environment as part of a manual process. On the other hand, Approach-1 could need technical understanding of the package file structure. For instance, the package zip could have Sitecore items and other artifacts like dlls plus config files. While dlls and config files can be published via visual studio, Sitecore items, if part of the package, need to be serialized via Sitecore CLI/TDS/Unicorn and pushed through a branch that can be deployed in higher environments.

For instance, in case of the SXA 10.3.0 cumulative hotfix package, the recommended approach is to install the package on the instance. On the other hand, if you look at the zip file, the ones encircled in red will be deserialized as Sitecore items while the ones under the files folder will be deployed to the web root since they are all config files/dlls or any .aspx files:

In case of 10.4.0 SXA hotfix, there aren't any Sitecore items to be deserialized:

With that basic understanding, there is no need to setup serialization for 10.4.0 SXA hotfix. On the other hand, in case of the Sitecore SXA 10.3.0 cumulative hotfix, since there are Sitecore serialized items, I can unzip the Sitecore items to my local file system that I can store in my version control system branch  apart from the artifacts under the files folder. Then I can push up these serialized items to my Sitecore instance using tools like Sitecore CLI apart from the usual approach of deploying the configs and dlls. Also, if I can store all the artifacts in a branch, I now have the privilege to apply or remove the hotfix as per my wish. I now have a more conventional way to find what artifacts the main branch holds. I also have a gated approach to find what hotfixes are applied and what haven't been. On the other hand, if I had used the package installer, I don't have a conventional way since the artifact is not part of any branch. I also need to look at ways to undo the installation via anti-package etc. that too in each environment. 

Sitecore 10.4 Visual Studio-based hotfix in Github: Publish just the necessary project(s) based on if you have SXA module installed in your instance!

Reference: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003734