unattended-upgrade of only security fixes for Sury PHP?

I installed PHP 8.1 on a Debian 10 server by adding the [PHP Sury repository](https://deb.sury.org/) as an apt source at /etc/apt/sources.list.d/php-sury.list. That all works fine. I have unattended-upgrades installed and running to update the system. I would now like to update the config to also update PHP packages from that repo. I've added this to my /etc/apt/apt.conf.d/50unattended-upgrades: Unattended-Upgrade::Origins-Pattern { // Only security updates for Debian: "origin=Debian,codename=${distro_codename},label=Debian-Security"; // Added this line for PHP: "origin=deb.sury.org,archive=${distro_codename},codename=${distro_codename}"; And this works fine - a dry-run shows all available PHP updates would be installed. However, similarly to how I only allow security-related updates for Debian packages to be installed unattended this way, I'd prefer to only allow security-related updates for those PHP packages to auto-install. Is there a way to do this, are there keywords I can add to that line in the config file to filter for only something flagged as a security update? I don't know where to find what keywords exist for the updates, nor if a "*security*" keyword or similar exists. #### UPDATE The [Packages](https://packages.sury.org/php/dists/buster/main/binary-amd64/Packages) file for my distro lists some packages as Priority: important. I tried adding those keywords to the config but this does not work: "origin=deb.sury.org,archive=${distro_codename},codename=${distro_codename},Priority=important"; > $ unattended-upgrade --dry-run > ... > \_\_main\_\_.UnknownMatcherError: Unknown whitelist entry for matcher Priority (token Priority=important) (same result with lower-case priority). apt-listchanges a few days ago showed me this (emphasis mine): > --- Changes for php8.1 (php8.1 php8.1-bz2 php8.1-cgi php8.1-cli php8.1-common php8.1-curl php8.1-mbstring php8.1-mysql php8.1-opcache php8.1-readline php8.1-xml php8.1-zip) --- > php8.1 (8.1.14-2+0~20230113.32+debian10~1.gbp6a972c) **unstable**; urgency=medium > > \*\* SNAPSHOT build @6a972c330d9c17fa8781d610f444a0d26f00c48b ** > > \* UNRELEASED I'd rather avoid unstable updates if possible, hence I'm trying to filter on only the most important. Is this possible?