Hello Cleavr Team,

I am working on tightening the security posture of several Cleavr-managed VMs. To satisfy external vulnerability scanning compliance, I need to routinely patch system dependencies. However, I want to avoid breaking the automated DevOps pipeline or causing configuration drifts that would disrupt Cleavr’s management scripts.

I am aware that Cleavr provisions servers with unattended security upgrades enabled by default. My primary concern lies with the remaining non-security service updates and minor dependency packages.

To help me map out a safe patching strategy, could you clarify the following points regarding Cleavr’s underlying architecture:

1. What specific core packages should be strictly held (via apt-mark hold) or blacklisted from automated/manual updates to protect Cleavr’s integrations? (e.g., nginx, php*-fpm, mysql-server, redis-server, nodejs, etc.)

2. What exactly breaks if a core service like Nginx or PHP-FPM receives a standard package update? Does Cleavr rely on highly specific custom binaries, or is the threat primarily about default package maintainer configurations overwriting Cleavr’s custom templates in /etc/nginx/ or /etc/php/?

3. Is there an officially recommended way to safely run general repository updates (like system libraries, utilities, or kernel patches) without blinding the Cleavr dashboard or bricking site connectivity?

4. If an external compliance audit explicitly demands we upgrade a non-security system package that Cleavr manages, how should we evaluate if it’s safe? Is there a recommended way to test if a package update will break Cleavr’s integration hooks prior to running it on production?

I want to avoid a scenario where an upgrade feels too risky to attempt, but leaving it unpatched triggers compliance alerts. Any insight into what is safe to touch and what is a dangerous would be incredibly helpful!

Thank you!

Hello @yesh,

Cleavr does not use custom-compiled binaries. We install standard packages from Ubuntu/Debian repositories, some third-party PPAs, and official vendor repositories (e.g., MySQL and PostgreSQL).

Some of the packages we recommend holding, or at least upgrading very deliberately, are: nginx , php , php-fpm , mysql-server , mariadb-server , postgresql , redis , curl , wget , git , zip , and unzip .

For routine updates of system libraries, utilities, or kernel patches , there is no official Cleavr-managed upgrade path.

If an audit requires you to upgrade, the recommended approach is to:

1. Provision a test server with the same Cleavr server type, Ubuntu version, and installed services as your production server.
2. Run the upgrade there first.
3. Verify that services still show as healthy in Cleavr, deployments still work, and sites remain accessible.
4. If anything breaks, reach out to us . We will be happy to help investigate the issue where possible.

If everything works as expected on the test server after the upgrade, you can safely apply the same upgrade process to your other servers.

We also proactively address known CVEs when they affect Cleavr-managed systems. For example, we shipped a fix for CVE-2026-31431 (“Copy Fail”) . For Dirty Frag , we published guidance on the forum rather than shipping an automatic patch.

I hope we were able to address your questions. If any of your queries remain unanswered, or if you have any additional questions or concerns, please don’t hesitate to let us know. We’re happy to help.

Thank you. I will reach out if anything comes up.

Hi @anish , which packages to hold if I have nodejs, adonisjs, nextjs apps?