Problem/Motivation
Found this while working on #2992631: Update report incorrectly recommends security releases for old minors when a security update is needed and a secure version of the old minor is also available
In \Drupal\Tests\update\Functional\UpdateCoreTest::securityUpdateAvailabilityProvider() we have the test case:
// No newer security release for site minor 1.
// Previous minor has security release.
'1.2, 0.2 1.2' => [
'site_patch_version' => '1.2',
'expected_security_releases' => [],
'expected_update_message_type' => static::UPDATE_NONE,
'fixture' => 'sec.0.2-rc2',
],
The site is on 8.1.2 which is the latest release for 8.1.x and is also a security release. 8.2.x has releases and 8.2.0-rc2 is security release.
the update status page in the test looks like
It shows 8.2.0-rc2 but it does not say it is security release because it the currently installed version 8.1.2 is a security release and not insecure.
If we change the test fixture to include the release 8.1.3 which is not a security release the updates page now looks like
Since now the up 8.1.3 version is show update as available update but it also shows the 8.2.0-rc2 release as security release. Not has changed as far as the currently installed versions security status. 8.1.2 is still secure. So there is no need to change to show 8.2.0-rc2 has a security release.
Proposed resolution
Don't show future minor releases as security releases if the current installed version doesn't need a security update.
Remaining tasks
- Determine desired functionality
- Tests
- Fix
- review
