Securities are not always updated when those aren't direct dependencies #5

omarlopesino · 2023-03-17T11:22:50Z

It happened that the script wasn't able to update the drupal core latest security, when the project has drupal/core-recommended installed.

It looks like as not the complete metapackage has been updated, it is not possible to independently upgrade drupal core.

Steps to reproduce

Have a site with Drupal 9.4.11 or lower / 9.5.4 or lower / 10.0.4 or lower , but with drupal/core-recommended in the requirements.
Run drupal-updater --security

The text was updated successfully, but these errors were encountered:

omarlopesino · 2023-05-05T15:20:13Z

After thinking about it I conclude that drupal updater must rely on the constraints, otherwise, modules can be calculated automatically.

omarlopesino · 2023-05-31T08:23:24Z

After thinking again a good solution would be:

Detect if a security package is a transitive dependency, then detect the direct dependency, and then update that direct dependency

omarlopesino added bug Something isn't working enhancement New feature or request and removed bug Something isn't working labels Apr 19, 2023

omarlopesino closed this as completed May 5, 2023

omarlopesino reopened this May 31, 2023