Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Some details are in #3045273: Add real endpoint after drupal.org provides a live feed
Comments
Comment #3
drummhttps://updates.drupal.org/psa.json is now available hosting the file written by this.
Comment #11
drummThis is now deployed. If we were to flag https://www.drupal.org/psa-2019-05-07 with this, https://updates.drupal.org/psa.json would have
I think next we should update that SA’s project to Drupal core, so
insecure
will be populated; and add functionality for writing to a test API endpoint.Comment #13
DrCuriosity CreditAttribution: DrCuriosity at Catalyst IT commentedThis looks like an excellent initiative, and very much appreciated.
Is there any facility for a PSA item on this API to be updated, once it has been created? If so, it might be useful to include an update timestamp field in the JSON, and be able to sort the PSA items by that field.
My use case for this is a downstream system that tracks updates across a large number of managed Drupal systems, so that we can have a rapid turnaround in situations where patching needs active developer support. Some of our clients have high security assurance needs.
Being able to sort PSA by update time would mean that we could run checks incrementally, rather than having to re-process each item every time we poll the API in order to guarantee that their information is fully up to date.
Lastly, are there any plans for pagination on the API as the number of PSAs grows over time?
Thank you kindly :-)
Comment #14
drummDocumentation for the
psa.json
endpoint is at https://www.drupal.org/docs/8/update/automatic-updates#s-public-service-....Yes, PSAs may be updated. Notably, the
insecure
list of releases will be updated to include newly-insecure releases as the related SA is published. We could take the maximum of the PSA updated date, and all the insecure releases, but that would keep needlessly updating as release notes are revised. The time a release was marked insecure is only stored in the revision log, going through that is technically possible, but would not be great code to maintain.The planned use of this API is only for highly critical updates which we hope as many Drupal sites as possible set to automatically update. It does not include all PSAs. I recommend using the existing API https://www.drupal.org/drupalorg/docs/api#s-show-all-thesecurity-advisor... for all recent security advisories. PSAs are nodes with the
sa
content type, andfield_is_psa = 1
, which can be filtered on, if needed.