@LinkChef

By default, that package will generally only install security updates unless otherwise configured. The configuration file that governs what is actually updated is located here:

/etc/apt/apt.conf.d/50unattended-upgrades

At the top of the file you’ll see something that looks like:

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Notice the first two lines are not commented while the next three are. That means that only security updates will be automatically installed as they are available. This is what you want.

Unless you’re 100% sure that uncommenting the third line to allow updates of all types to be applied will not break something down the line, it should be left commented. Why? This targets everything on your system – MySQL, PHP, NodeJS, Apache/NGINX, etc – i.e. anything you’ve installed from the CLI using the package manager. If something happens during one of the upgrades that causes it to fail or if it overwrites configuration that you’ve changed, you’ll have to go in and fix it.

It’s best to apply upgrades at your leisure and allow the unattended manager to only work with the security updates portion of what’s available.