Is it OK to update the Entity API module which now has a security update released - or should I wait for a new version of Commerce Kickstart which incorporates the new version of this module?

Comments

vasike’s picture

Title: Entity module » Update Entity API module - Security release
Version: 7.x-2.9 » 7.x-2.x-dev
Category: support » task
Priority: Normal » Major
Status: Active » Needs review

i think you could do it without breaking Kickstart.
But usually you should use (first wait) for a new version with the updates for the modules.

Anyway i think this is an important task for Commerce Kickstart. Thank you for opening this issue.
Here is gerrit commit for this : https://code.drupalcommerce.org/#/c/734/

Jon Pollard’s picture

I did a trial on a dev version of the site and it looked like it behaved a bit differently - I had set my cart up to show product images and they were no longer there - so I think I will wait for the new version of kickstart!

In the meantime though, my site is not 100% secure, although looking again at the security news email on this it doesn't seem particularly serious! I just wanted to clarify really, that modules in kickstart shouldn't be updated individually, but as part of an entire kickstart version update.

vasike’s picture

it seems there are also other modules to be updated: Variable and Module.
Another module which requires update is Chosen which is not supported, version 1.
But i think the module (version 2) should have at least a beta release.

i rebased the gerrit commit including these new versions in drupal-org.make file

@jonty17 : thanks for sharing your experience.
i think we need the updates at least on dev version, so it could be tested by community and issues reporterd to be solved.

jsacksick’s picture

Status: Needs review » Fixed

I merged the commit, I couldn't really test if it didn't break anything, anyway this can be tested by the community and they'll be able to report any issues.

Jon Pollard’s picture

@jsacksick : does that mean that these updated modules are now part of the dev 7.2-x version?

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.