man dnf writes:
Deprecated aliases: list-updateinfo, list-security, list-sec, info-updateinfo, info-security, info-sec, summary-updateinfo
dnf [options] updateinfo [--summary|--list|--info] [<availability>] [<spec>...]
Display information about update advisories.
Depending on the output type, DNF displays just counts of advisory types (omitted or –summary), list of advisories (–list) or detailed information (–info). The -v option extends the output.
And for “update”:
Deprecated aliases: update, upgrade-to, update-to, localupdate
dnf [options] upgrade
Updates each package to the latest version that is both available and resolvable.
Where [options] can include:
Includes packages that provide a fix for a security issue. Applicable for the upgrade command.
So, ‘updateinfo’ queries database, but ‘update’ actually attempts to install packages. There are subtle differences, mostly in dependency resolution – the actual install tends to fail since queries do not test everything about transactions.
On one of my Alma 8 setups that has packages available that are flagged “security”, the
dnf up --security
Fails with “conflicting packages”, but the more inclusive
dnf up runs fine.
Overall, it is (IMHO) bad practice to “cherry-pick” just some subset of packages for update.
dnf --enablerepo=* clean all