False warnings about security updates

Created on 27 February 2025, about 1 month ago

Problem/Motivation

It feels like I am getting more false warnings about a module no longer being supported, first via email:

The installed version of at least one of your modules or themes is no longer supported. Upgrading or uninstalling is strongly recommended. See the project homepage for more details.

See the available updates page for more information:
https://example.org/admin/reports/updates
Your site is currently configured to send these emails only when security updates are available. To get notified for any available updates, https://example.org/admin/reports/updates/settings.

... and under /admin/reports/updates:

CKEditor 5 Paste Filter 1.0.1 Not Supported!
Recommended version: 1.1.0 (2025-Feb-26)
Your currently installed release is now unsupported, and is no longer available for download. Uninstalling everything included in this release or upgrading is strongly recommended!

It's my impression that the update from CKEditor 5 Paste Filter 1.0.1 to 1.1.0 is not a security update, but merely an improvement:

https://www.drupal.org/project/ckeditor5_paste_filter/releases/1.1.0

Is the reason I am getting more false security warning emails, and see "Not Supported!" under the update page due to maintainers mistakenly placing a check mark somewhere in the module maintenance interface (Or remove "Supported"? I am not a module maintainer, and don't know the interface), when in fact that version would still work fine, and the warnings are basically not warranted?

Steps to reproduce

Proposed resolution

Perhaps the module administration interface needs to emphasize that removing a check of "Supported" will result in security warnings and emails getting sent to all users?

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

📌 Task
Status

Active

Component

Development Environments

Created by

🇩🇰Denmark ressa Copenhagen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @ressa
  • 🇨🇦Canada star-szr

    As the module maintainer in question, this was certainly an unpleasant surprise.

    Even linking to some docs would be an improvement, it wasn’t clear to me that these checkboxes would have any impact beyond the Drupal.org project page.

  • 🇩🇰Denmark ressa Copenhagen

    Thanks for sharing a screen dump @star-szr. I agree, adding a sentence and a link to the doc page would be great, something like this:

    Note: Disabling "Supported" can result in security warning emails being sent out, and a "Not Supported!" message under /admin/reports/updates.

    I couldn't find the right documentation page, so the link should be updated to point at the actual page, where this setting is documented.

  • 🇺🇸United States drumm NY, US

    There was some discussion of this when Semantic Versioning for contributed projects was introduced. That allowed more options for maintainers to support or not. I didn’t find any issues offhand though.

    https://www.drupal.org/node/1015226 could be a place to document, or link to from documentation.

    I think we should get rid of the “Recommended” label to simplify the form 📌 Remove “recommended” status for releases? Active

    The wording for a message here does not need to be overly-specific or discouraging. We do want maintainers to be able to keep a manageable workload, un-supporting a release series is fine. The emphasis should be on encouraging some overlap in what is supported, to give users time to migrate.

  • 🇩🇰Denmark ressa Copenhagen

    Thanks for a great response @drumm, good points.

    Adding a sentence or two about the ramifications of removing the check of "Supported" from a version number on the Release naming conventions page and linking to it from the module "Release" page is a great idea.

    @star-szr. Do you feel like putting this into writing, and adding it to that page?

    I understand that the wording shouldn't dissuade module maintainers from removing the "Supported" check, but make it clear that it might have consequences, such as email alerts being sent to users. And these users may get weekly or daily emails about this, until they update. So minor bugfix releases, and similar probably does not warrant making a previous version not "Supported".

    And thanks for creating 📌 Remove “recommended” status for releases? Active , I was a bit apprehensive at first, since I do like the different colors (see for example Webform) indicating which is the recommended version. But as you write, if Composer's rules are what counts, maybe it should be removed.

  • 🇺🇸United States drumm NY, US
  • 🇺🇸United States drumm NY, US

    I’ve added a draft to #686918: Add help text to project release admin page to warn about marking branches unsupported and the impact on update status for adding help text, please help review and improve it.

    It looks like the conclusion of this issue was to add help text and documentation, so I think the other issue will cover making this improvement.

  • 🇩🇰Denmark ressa Copenhagen

    Thanks @drumm. I know the other issue is older, but wouldn't it be better to continue in this issue and mark the other as duplicate, since this issue includes valuable information such as:

    • A recent incident
    • Feedback from a maintainer
    • Feedback from a regular user
    • Documentation
Production build 0.71.5 2024