Security updates
It is essential that we keep our clients sites as up to date as possible when it comes to security of their applications.
Last updated
Was this helpful?
It is essential that we keep our clients sites as up to date as possible when it comes to security of their applications.
Last updated
Was this helpful?
Drupal has a for bug fixes or security releases.
At Deeson, when a security update is released we want to ensure that all our clients sites are kept up to date as soon as possible. As the announcements tend to come out during Wednesday evening (UK time), these are reviewed on the Thursday morning.
We use an internally developed tool called to report on which sites have been affected by any security announcements which have been released on the Wednesday evening.
This provides a dashboard of which sites required security updates; either for Drupal core or contributed modules. Warden also has a Slack integration, which generates a report into the #dev-security Deeson Slack channel every Thursday which lists all the sites that need updating.
Each Thursday morning the lead developers should check the list of sites that has require security updates. They should assign individuals to get these updates applied to the relevant sites as soon as possible.
While every developer has normal client work that they are working on, they should prioritise applying security updates to their sites over their current project work.
If the time required to apply, test and release the security update is going to be more than one hour, the developer needs to update the team for the project that they are currently working on. This is to inform them that they might be be delayed in their current work due to the security updates that need applying.
If there is a specific reason that they need to work on a clients site (e.g. urgent release pending, client expecting work for a deadline etc.) then the developer needs to raise this with the relevant lead developer so that they know and can organise development resource according to apply the update.
Security updates shouldn't linger on for more than a week after it has been released. It should updated and released either on that Thursday or by the following Monday at the latest.
While we current do not have a central way of detecting if there are any security updates available for node packages (like Warden for Drupal), both npm and yarn provide a command which will check the packages within a project to see if there are any packages which need updating.
To do this run on of the following command depending upon which package manager the site is using:
npm audit
yarn audit
This will provide a list the packages along with their status level. Any that have a high or critical should be flagged as needing to be updated.
When a developer is aware that there is a security update due to one or more node packages, they should prioritise getting this update applied and tested within the stage environment for the application.
As this could affect other areas of the application that is using this package, a ticket should be created with details of what is being updated so that this can be tested by the client.
This work is licensed under a .
