Is it a safe alternative to is Drupal Core’s update module?

[obriat]

Hi,

I stumble into your package when analysing drush code (https://github.com/drush-ops/drush/blob/10.x/src/Commands/pm/SecurityUpdateCommands.php#L101) but I didn't find any reference in drupal.org.

Since it's about security, IMHO this repo and the drush mechanism should be documented in drupal.org and in the update status page (https://www.drupal.org/drupalorg/docs/apis/update-status-xml).

Also, even if the contributors are well know members of the community, this repo should be moved into the official one (https://github.com/drupal) to reassure everyone, no ?

One last remark, since the default branch is not updated at each security update, the project seems outdated.

[bradjones1]

Also, even if the contributors are well know members of the community, this repo should be moved into the official one (https://github.com/drupal) to reassure everyone, no ?

I can't speak for the Drupal Association but I imagine this would be something they'd have to seriously consider vs. other responsibilities, since if they maintain it, now they have to... maintain it at the same level as other infrastructure.

One last remark, since the default branch is not updated at each security update, the project seems outdated.

What do you mean? Does this relate to the schedule for building? I imagine this is already/could be automated...?

[bradjones1]

And also... sort of? Issues like #7 and #29 would bring in some more of the data that the update status report provides.

That said, update status can't run on an uninstalled site during your CI pipeline.

[obriat]

Thanks for your answer.
I was speaking about the project homepage, at first glance the default branch (build-v2) seems to be 2 years old, so not as up to date as expected for a security "scanner" and since there is no release, the project seems (at first sight) dead.
A simple regular update on this branch should do the trick ?