Consider flipping the default for update.settings:check.disabled_extensions

Created on 4 March 2025, 29 days ago

Problem/Motivation

Drupal CMS out of the box includes a large number of modules that are not enabled by the base recipe. These will be on the filesystem of sites that install Drupal CMS without being installed - until a recipe that depends on them is installed.

If these modules are installed later without being update in the meantime, there are two potential negative consequences:

1. If the module has had a security release, site owners will start getting a notification that the module is insecure after they've installed it (and made their site insecure), not before.

2. If the module has had new releases with database updates included, the site owner will get a notification that a newer version is available after they install it, and then the module's updates will need to be run. If they update it before installing, no updates to run which is a lot more reliable and less error prone.

I've opened an issue with more or less the same issue summary against Drupal CMS here: πŸ“Œ Set 'Check for updates of uninstalled modules and themes' to on by default Active , but also think we should consider flipping the default in core.

If people find the notifications annoying, then that might prompt them to actually composer remove the module, or they can always flip the setting back.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

πŸ“Œ Task
Status

Active

Version

11.0 πŸ”₯

Component

update.module

Created by

πŸ‡¬πŸ‡§United Kingdom catch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024