Contrib.social

Handle updates for uninstalled extensions?

Open on Drupal.org β†’
Created on 30 January 2025, 4 months ago

Problem/Motivation

Update status in core generally doesn't handle uninstalled extensions.

I think that decision was made a very long time ago to reduce the amount of metadata it would need to pull from Drupal..org, and because at the time, people would need to update those extensions manually via tarballs, when instead they might eventually remove them.

However, I think there are probably good reasons to reverse this for automatic updates:

1. Composer doesn't know that extensions are uninstalled, so an uninstalled extension can prevent an update of core or another installed extension when there's a compatibility conflict.

2. If you install an extension, then immediately get prompted to update it (including potentially security updates), it's not great.

3. Drupal data upgrade paths, even in core, do not have a good record of being 100% reliable. If modules are constantly updated while they're uninstalled, it saves immediately having to run database updates if they're installed then updated.

4.composer audit and other internal tools similarly don't know whether a dependency is installed or not and will complain if there's a security release. composer audit + automatic updates might be mutually exclusive, but you never know.

I looked for an open issue but couldn't find one. Possibly there's a way to find uninstalled extensions and update them in the UI, but I also couldn't find that if it's there.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ“Œ Task
Status

Active

Version

4.0

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom catch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @catch
  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    Adding related Drupal CMS issues.

    I tested this manually, and even if update status is configured to show available updates, they're not shown in the automatic updates UI.

    I think not respecting the setting makes this a bug - you can see updates, including security releases, but you can't update them until you've installed the module, which if you're doing it on production makes your site instantly insecure.

  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch
  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

    I was super surprised when I uninstalled something via the project browser it didn't actually result in removing it from composer.json. In my mind we need to focus on the ability to purge unused projects.

  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    @alexpott see 🌱 [meta] composer require / install module discrepancy issues Active for some discussion of that.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024