Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I assume it is safe to ignore security updates for modules that are disabled.
This module therefore should not provide a warning messages on all pages of the website if there are security updates available for disabled modules.
It is interesting and important for many of us to see whether disabled modules have updates. But we do not need to be alarmed when an update happens to have a security nature.
From administrator's point of view that is a false positive (security hole of a disabled module is not a security hole) and means extra work (it takes time to scroll down the long list and make sure none of the enabled modules have security updates).
Comments
Comment #1
gregglesSometimes the vulnerabilities exist regardless of whether or not the module is enabled, so I think it's better to warn on all modules.
Comment #2
Vacilando CreditAttribution: Vacilando commentedThat's a good point. I can imagine some security holes may be troublesome even if the affected modules are not enabled.
But that raises another point. If sites can be compromised down by having unpatched disabled modules, then either a) Update status advanced settings module should be strongly recommended / required (because users won't learn about threats otherwise) or b) users should be encouraged to delete all disabled modules from their module directories...?
Perhaps this issue could be mentioned in the project page text, and elsewhere in documentation (what's the best place?)
Comment #3
dww@vacilando: The ability to track status for disabled modules is in Update status in D7 core (now called the "Update manager", since it also lets you install/update stuff), although this behavior is not enabled by default. Not sure where to document this concern. People generally don't read documentation. ;)