Automatic updates
Updating a Drupal site is complex, time-consuming, and costly. While it may seem straightforward, secure and reliable updates that instill confidence in site owners and ensure site availability are a significant challenge.
The Automatic Updates service for Drupal aims to simplify this process and ensure updates are applied safely and correctly.
Note: Automatic Updates is a strategic initiative for the Drupal project. It is still under active development, and there are several important considerations:
- The Automatic Updates module is not yet in core. It is currently available as a contrib module at https://drupal.org/project/automatic_updates.
- The module is currently a release candidate. A stable release is expected soon.
- This first phase includes Public Service Announcements (PSAs), readiness checks, and in-place update capabilities—either manually or via cron. Updates involving database changes will trigger a rollback.
- It does not yet support contrib module updates or Composer-based installations. These are planned for Phase 2.
Key Features of the Automatic Updates Module
Public Service Announcements (PSAs)
Security advisories for core and contributed modules are rare but critical. When a PSA is issued, site owners must verify they are up to date and that their site is healthy and ready for rapid updates when patches are released.
Readiness Checks
Not all sites are always eligible for automatic updates. Readiness checks determine if a site is ready to safely receive updates. For example, sites with pending database updates, read-only file systems, or insufficient disk space will not pass readiness checks. Sites must resolve these issues to qualify for automatic updates during a PSA.
In-place Updates
After a PSA is issued and a site passes readiness checks, the automatic update service can apply the update.
Organizations may customize the update workflow—for example, backing up the database to S3 or sending email notifications before running database updates.
Custom actions that rely on updated code should be executed via command-line interfaces to avoid using stale PHP code during updates. See the execute_updates plugin for guidance.
Installation
The Automatic Updates module is currently available as a contrib module. After community testing, it will be included in Drupal core in a future release.
- Important: Download the module as a tarball. Composer-based installation is not supported at this time.
- Install the module using your preferred method.
This module is not intended for Composer-based sites. It assumes a tarball-based installation and supports only core updates at this time. Composer support will come in later iterations.
Using the Module
Manual Use
The PSA feature displays alerts from Drupal.org in the admin UI. Readiness checks run regularly to verify the site’s status. Admins can manually trigger in-place updates from the module's config page.
Unattended Use
To enable automatic updates, check the box on the config page to allow updates via cron. Updates will only occur if the site passes readiness checks.
Extending Automatic Updates
Since database updates vary in complexity, the module uses a plugin-based architecture for handling DB changes. The default behavior enables maintenance mode, runs updates, then disables maintenance mode. The update sequence is configured in automatic_updates.settings.yml and can be overridden in settings.php:
$config['automatic_updates.settings']['database_update_handling'] = ['rollback', 'alternative_plugin_id'];
Available plugins include:
- 'execute_updates'
- 'ignore_updates'
- 'maintenance_mode_activate'
- 'maintenance_mode_disactivate'
- 'rollback'
Site owners can create custom plugins—e.g., for custom backup routines.
System Architecture Overview
Core Elements
Public Service Announcements: Retrieved from a psa.json feed on Drupal.org and displayed via drupal_set_message().
Readiness Checks: Plugin-based system with UI alerts and errors when sites are not update-ready.
In-place Updates: Uses signed and hashed “quasi-patches” from Drupal.org, validated with php-libsodium. Validated patches are applied by copying updated files over the current ones.
Testing Features
You can enable a test PSA feed using:
$ drush pm-enable automatic_updates_test $ drush vset automatic_updates_psa_endpoint http://localhost/automatic_updates/test-json
To revert to the official feed:
$ drush vset automatic_updates_psa_endpoint https://updates.drupal.org/psa.json $ drush pm-disable automatic_updates_test
Drupal.org Infrastructure
Automatic Updates is supported and funded by Drupal.org and the Drupal Association.
PSA Feed Format
The PSA feed includes:
- title: The PSA title.
- link: The full PSA URL.
- project: Short project name.
- type: Project type (core, module, theme, etc.).
- is_psa: A flag indicating this is a PSA.
- insecure: List of insecure versions.
- pubDate: Date published.
Canonical PSA feed: https://updates.drupal.org/psa.json
Test feed: https://updates.drupal.org/psa-this-is-only-a-test.json
Package Generation and Security
Drupal.org’s packaging system generates downloads, Composer metadata, and “quasi-patches.” It uses BSD Signify-based signing for patch security.
Drupal maintains a PHP Signify implementation at github.com/drupal/php-signify. Packages are hashed and signed using keys generated from HSMs hosted by Drupal.org.
Providing Feedback
To provide feedback on the Automatic Updates module, submit issues at the Automatic Updates issue queue.
Drupal’s online documentation is © 2000-2020 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution-ShareAlike 2.0. PHP code is distributed under the GNU General Public License.