Impact of not doing these updates on the CMS

ye flag


Hello, I am a new hired and tasked to manage a vendor who is supposed to update our website. They have not been doing so, I am not technical enough to know whether these Drupal updates will have a huge impact on us when they are not attended to. I attacked 2 screenshots here and really hope you can shed some lights....very much appreciated.

Kevin avatar
in flag
Find a new vendor. You're paying for services not being rendered and there are standing security releases. Your vendor should be apprising you of the matter(s).
id flag
We could answer a specific question about a specific security update by linking to release notes or security advisories, but this question as written is difficult to answer because it depends on opinions of what “huge impact” means. We can only answer in generalities.
cn flag

Any updates marked as a Security update should be applied as soon as possible.

Security updates by the Drupal Security Team are announced here and, since Drupal is open source, failing to patch your site leaves you open to attacks because people can look at the content of the security announcements and find the vulnerabilities in your site's code. This is why it is important to patch immediately.

Now, not every announcement requires immediate action; to find out how soon you need to act, you have to actually read the security announcements for core/the relevant contrib module. In many cases, there may only be a security problem if users have certain permissions, and if you only have admins and anonymous users (a common setup), you may not have to do anything in that specific case.

In your case, based on the list of modules shown, Entity Print has a security update, which was fixed in version 2.5, which was released on April 11, 2022.

This means that your vendor has ignored an important security patch for over half a year-- pretty terrible performance for which there is not really an excuse. So as @Kevin said, I would find a new vendor.

bella avatar
ye flag
very much appreciated. This is my 2nd week at the job. My team has been looking at new vendors but the process of scouting is always long. So I want to know in the interim, whether the impact will be high if the vendor is not patching for us. My team has told them several times to patch but they are stalling us coz whenever they fix one item, they break other item...
cn flag
@bella You have to read all the security advisories yourself; I can't make that call for you. However, speaking generally, because you have security vulnerabilities that have been public for 6+ months, I would consider that high impact. If the Drupal site is properly maintained, patches should be able to applied within a single day in the vast majority of cases; it definitely is not something that should take weeks to handle.
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.