Cybersecurity Triage

Dry-Run Unattended Security Upgrades

You need to inspect what unattended-upgrades would select without installing packages.

Command

unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'

What changed

Nothing changes. unattended-upgrade runs in dry-run mode and sed extracts the selected package summary.

Danger

safe

When to use it

Use when checking automatic patch coverage, security origins, or why a package was not auto-selected.

When not to use it

Do not run without --dry-run unless you intend to perform unattended package upgrades.

Undo or recovery

No undo needed because the command is read-only dry-run output.

Expected output

A dry-run section listing packages that unattended-upgrades would upgrade.

demo script

Disposable terminal steps

unattended-upgrade --dry-run --debug
unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'

Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel

::fixture-ready::
$ unattended-upgrade --dry-run --debug
Initial blacklist:
Initial whitelist:
Packages that will be upgraded: openssl curl
Checking: openssl ([])
Checking: curl ([])
Package nginx is not allowed to be upgraded unattended
Dry-run, no packages were installed.
::exit-code::0
$ unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'
Packages that will be upgraded: openssl curl
Checking: openssl ([])
Checking: curl ([])
Package nginx is not allowed to be upgraded unattended
Dry-run, no packages were installed.
::exit-code::0

YouTube Short

Dry-run unattended upgrades.

Before trusting automatic patching, dry-run unattended-upgrade and read what it would actually select.

experiments

A/B tests to run

Metric: average_view_duration

A: Automatic patching needs evidence.

B: Dry-run before trusting unattended upgrades.