Legacy software often resists secure upgrades; manual backporting of patches is time-consuming and error-prone; and existing automated backporting approaches lack systematic, cross-language evaluation. Method: This paper introduces PatchBack—the first cross-language, general-purpose patch backporting benchmark—comprising 202 real-world backport cases drawn from PyPI, Maven, and npm, accompanied by containerized execution environments and reproducible test suites. Contribution/Results: PatchBack enables the first quantitative evaluation of logical refactoring capability in backporting. Empirical analysis reveals that LLM-based agent methods significantly outperform traditional techniques in scenarios requiring structural or logical modifications—especially for Python and JavaScript—while performance on Java remains suboptimal. The benchmark establishes a standardized, empirically grounded evaluation framework for automated patch backporting, advancing both methodology and practice in software maintenance and security.

Many modern software projects evolve rapidly to incorporate new features and security patches. It is important for users to update their dependencies to safer versions, but many still use older, vulnerable package versions because upgrading can be difficult and may break their existing codebase. Software developers can mitigate this problem by backporting security patches to older releases. However, manually backporting is time-consuming and error-prone. The effectiveness of existing automated backporting techniques on general software remains unclear since they typically target only code-hunk or function-level patch porting scenarios and are evaluated with imperfect metrics. To facilitate the development and evaluation of automated backporting techniques, we introduce BackportBench, the first comprehensive benchmark suite for patch backporting problem. BackportBench is a multilingual benchmark that contains 202 patch backporting problems from PyPI, Maven, and npm, each with executable Docker environments and relevant test cases. We evaluated existing patch porting methods and LLM-based techniques that have the potential to adapt to this task using BackportBench. The results show that the agentic method has outperformed traditional patch porting methods, especially on cases that require logical and structural changes. However, the performance varies across different programming languages. Based on the findings, we draw several implications for researchers and software practitioners in future work on automated backporting.