WP Security Updates

Is there a reason why Production couldn’t/shouldn’t have WP security updates at least? Like the upgrade from 4.7.2 to 4.7.3.

I know it’s simple to do the upgrade via Composer and the Ansible deploy, but I have multiple sites I now need to do this on.

If there was a one-line command to handle the Composer update / git push / deploy would be super.

You could use wp-cli to ssh into your live server and update the core.

We’ve talked about this a little before --my concern is that I’ll forget to update my composer.json since my server is auto-updating, and then accidentally deploy a vulnerable version on my next deploy.

If I have to do all updates manually it’s easier to remember.

1 Like

Wouldn’t the version you then deploy to live then also get the security update when a user hits it?

Sure but there would be a non-zero amount of time that it would be vulnerable, potentially long after the vulnerability has been fixed. If you have to do it all manually then you get to fix it, and keep it fixed.

That’s just how I see it, though.

I’m with you and it makes sense. It can just be tricky if you’re managing 30, 40, 50+ sites. Pros/cons here are tricky.

2 Likes

Could it not be set to ignore a composer install if the installed version is higher than the one listed in composer?

It really is a problem for me with 15 or so sites on Trellis now.

Do you guys have any updates on this?

I’m setting up a client with a new awesome setup and thought Trellis/Bedrock would be great. But not allowing them to update/install plugins is like a punch in the gut. There has to be a decent way for everyone to be happy.