Found this while working on #2992631: Update report incorrectly recommends security releases for old minors when a security update is needed and a secure version of the old minor is also available β
In \Drupal\Tests\update\Functional\UpdateCoreTest::securityUpdateAvailabilityProvider() we have the test case:
// No newer security release for site minor 1.
// Previous minor has security release.
'1.2, 0.2 1.2' => [
'site_patch_version' => '1.2',
'expected_security_releases' => [],
'expected_update_message_type' => static::UPDATE_NONE,
'fixture' => 'sec.0.2-rc2',
],
The site is on 8.1.2 which is the latest release for 8.1.x and is also a security release. 8.2.x has releases and 8.2.0-rc2 is security release.
the update status page in the test looks like
It shows 8.2.0-rc2 but it does not say it is security release because it the currently installed version 8.1.2 is a security release and not insecure.
If we change the test fixture to include the release 8.1.3 which is not a security release the updates page now looks like
Since now the up 8.1.3 version is show update as available update but it also shows the 8.2.0-rc2 release as security release. Not has changed as far as the currently installed versions security status. 8.1.2 is still secure. So there is no need to change to show 8.2.0-rc2 has a security release.
Don't show future minor releases as security releases if the current installed version doesn't need a security update.
Postponed: needs info
10.1 β¨
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request β as a guide.
Interesting issue. Personally I have not seen that before in Drupal 9 or in Drupal 10
But if you are still seeing it have any recommendation to manually trigger?