Further emphasize upgrade notice for critical security updates
Problem statement
We will have a mechanism for showing a notification to administrators when their instance is out of date, and highlighting if they are out of date for security fixes: #295266 (comment 478318077)
This is a great first iteration to better surfacing the need for these users to upgrade. However every so often, we can find critical security vulnerabilities within our product, that can justify even broader messaging to administrators or potentially even users.
As of 14.5 (assuming the above ships) the most we can do is show a notification dot and an Update ASAP
in the admin menu. Is there more we can do for particularly severe security vulnerabilities?
Potential solutions
Solutions could take the form of something like:
- Extending the JSON returned to allow for a text field to provide additional context on the need to upgrade, or benefits of upgrading.
- Having an additional "wider notification" function for critical security vulnerabilities, which will notify a wider audience, or notify admins in a much more obvious fashion.
- Generating email messages or other content to administrators to prompt them to upgrade.
- And so on
Updates
August 31, 2022
We have a number of issues related to this feature that are being worked on. This is the order or operations in order to complete this deliverable.
- Upgrade badge seems to be gone from admin view
- List latest 3 stable versions in the version check endpoint
- Version Check API (check.json) - Add details field to API response
- Add a call-to-action to the version indicator
- Instrument and track upgrade notification views
- Display details of missing security fixes in /help page
May 31, 2022
We should only use the notification for admins