- Issue created by @phenaproxima
- πΊπΈUnited States phenaproxima Massachusetts
Attended updates only update Drupal core. They always have a human in the loop (that's what makes them "attended"), and they are the equivalent of running the following:
composer require drupal/core-recommended:NEW_VERSION --no-update composer update --with-all-dependencies --optimize-autoloader --minimal-changes drupal/core-recommended:NEW_VERSIONThe risk here is that installed contrib extensions could be updated, although
--minimal-changesshould, well, keep that to a minimum. But if there are bad and dangerous constraints in the site's composer.json (e.g., unbounded constraints likedrupal/pathauto:>=1), then this could immediately break a site if done in direct-write mode.One possible mitigation here is for Automatic Updates (or maybe just Package Manager itself) to refuse to even start the update process in direct-write mode if any unbounded constraints are present.
- πΊπΈUnited States dww
Not to be a broken record, but I hope "direct-write" means "add to the queue for the cron job that runs as the user that owns your files" in the security-in-depth world where httpd does not have direct write access to your codebase, right? π
- π¬π§United Kingdom catch
@dww I think we need a new issue for that. There is a console command that can do unattended updates (I think) and an issue to document it, but I don't think there's an issue for queuing attended updates. We'd also need an equivalent issue for project browser to add similar functionality there for adding new code too.