fix: preserve staged update dir when pruning orphaned updates on macOS by MarshallOfSound · Pull Request #50210 · electron/electron

MarshallOfSound · 2026-03-11T17:35:22Z

The previous squirrel.mac patch cleaned up all staged update directories before starting a new download. This kept disk usage bounded, but it broke quitAndInstall() if called while a subsequent checkForUpdates() was in flight — the already-staged bundle would be deleted out from under it.

This reworks the patch to:

Read ShipItState.plist and preserve the directory it references
Delete only truly orphaned update.XXXXXXX directories
Refactor the enumerate-and-delete logic into a shared helper so the existing pruneUpdateDirectories still does a full wipe on launch

Disk footprint stays bounded (at most 2 dirs: staged + in-progress) and quitAndInstall() remains safe to call mid-check.

Fixes #50200

Test plan

e test --runners=main -g "autoUpdater behavior" passes on macOS
Updated should preserve the staged update directory and prune orphaned ones when a new update is downloaded — asserts 1 dir during first download, 2 dirs during second (staged preserved + new), and that the original staged dir is among them
New update-race fixture — calls quitAndInstall() while a second checkForUpdates() is downloading; the staged install should succeed
New update-triple-stack fixture — 3 sequential update downloads without restart; directory count never exceeds 2

Notes: Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded.

…macOS The previous squirrel.mac patch cleaned up all staged update directories before starting a new download. This kept disk usage bounded but broke quitAndInstall() if called while a subsequent checkForUpdates() was in flight — the already-staged bundle would be deleted out from under it. This reworks the patch to read ShipItState.plist and preserve the directory it references, deleting only truly orphaned update.XXXXXXX directories. Disk footprint stays bounded (at most 2 dirs: staged + in-progress) and quitAndInstall() remains safe mid-check. Also adds test coverage for the quitAndInstall/checkForUpdates race and a triple-stack scenario where 3 updates arrive without a restart. Refs #50200

loc · 2026-03-11T18:06:53Z

This makes sense to me.

The original thinking in my first patch was that if you get update-available and start downloading, you'll always want the latest version, even if you already have one downloaded (to avoid a double update). However, I missed two key details:

The staged path needs to be cleared from the plist when we clear the directory
App code may not be guarding checkForUpdates for if there is actually a new version (a squirrel footgun as old as time)

Both of these combine into a net worse behavior for certain apps despite the unbounded growth bug being fixed.
Though I still think unstaging the ready update makes more sense in a vacuum, this approach preserving the staged update presents less risk to current applications and so I support. 👍

Thanks for the fix Sam and sorry for the bug, @nikwen!

VerteDinde

Code change looks good to me - it should address the issue and is pretty heavily tested 👍

nikwen

Thanks for working on this!

I believe it's still possible to break the logic with this patch if multiple downloads from multiple autoUpdater.checkForUpdates() calls are running in parallel (which has been totally fine historically).

Starting a new download might delete the directory of an update that is still in progress.

Example of a race condition:

Process A: Update 1 starts downloading
Process A: Update 1 finishes downloading
Process B: Update 2 starts downloading
Process B: As a result, the update directory for update 1 is being wiped
Process A: Squirrel updates ShipItState.plist to point to update directory 1, which no longer exists

It is a narrow time window, but this is the autoUpdater, which should be safe against any kinds of race conditions.

I'm thinking about how to solve this better.

Some ideas:

After we update the ShipItState.plist to a different directory, delete the directory that it previously referenced
- This might not be fully safe though because a race condition with relaunchToInstallUpdate might write back the old URL
Keeping a list of updates that are safe to delete and only deleting those

I'll think about it further and update here when I have a good idea.

nikwen · 2026-03-11T18:54:33Z

How about this?

After we update the ShipItState.plist to a different directory, post a task that runs 1 minute later that deletes the directory that the file previously referenced.

The delay is a generous buffer so that no in-progress call to relaunchToInstallUpdate would write back the old URL.

That would be a pretty minimal patch to prepareUpdateForInstallation. Potentially even less invasive than the current patch.

MarshallOfSound · 2026-03-11T19:07:36Z

I believe it's still possible to break the logic with this patch if multiple downloads from multiple autoUpdater.checkForUpdates() calls are running in parallel (which has been totally fine historically).

This isn't true. checkForUpdates can't be run multiple times concurrently, it has allowsConcurrentExecution = NO which will throw an error RACCommandErrorNotEnabled if multiple calls occur in parallel. I even hit this writing this test

nmggithub · 2026-03-11T19:30:22Z

Still taking a look to add my two cents. I did take a look at our documentation just to sanity check user expectations. It seems we do call out the fact that checkForUpdates downloads updates each time, even on multiple calls, but the wording is quite vague. Even so, I think this behavior change may also require a change to these docs.

electron/docs/api/auto-updater.md

Lines 167 to 169 in 3678edf

    
           > [!NOTE] 
        
           > If an update is available it will be downloaded automatically. 
        
           > Calling `autoUpdater.checkForUpdates()` twice will download the update two times.

nmggithub · 2026-03-11T19:43:40Z

patches/squirrel.mac/fix_clean_up_orphaned_staged_updates_before_downloading_new_update.patch

+	NSParameterAssert(storageURL != nil);
+
+	NSFileManager *manager = [[NSFileManager alloc] init];
+	NSDirectoryEnumerator *enumerator = [manager enumeratorAtURL:storageURL includingPropertiesForKeys:nil options:NSDirectoryEnumerationSkipsSubdirectoryDescendants errorHandler:^(NSURL *URL, NSError *error) {


I'm assuming we expect Squirrel.Mac to always put every update in the same shallow storageURL? That's a sensible behavior and Squirrel.Mac is fairly stable. I did just want to call out what I see as a potentially hidden assumption here.

IMO this is fine because of the e2e test. It expects a specific number of files so if 0 start appearing it will fail. Also yeah, squirrel.mac is fairly changed

Eh, if, for some reason, one or so still stuck around in storageURL, and then others were placed elsewhere, that wouldn't result in zero appearing. Again, I don't think there will be any changes to where updates are placed anytime in the near future. Just wanted to call it out!

nikwen

This isn't true. checkForUpdates can't be run multiple times concurrently

That's great news! Thanks for the correction. 🙌

With that information, the patch looks good to me. It should fix the issue.

On a side note, the tests are beautiful! 👍

patches/squirrel.mac/fix_clean_up_orphaned_staged_updates_before_downloading_new_update.patch

release-clerk · 2026-03-11T22:42:27Z

Release Notes Persisted

Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded.

trop · 2026-03-11T22:43:01Z

I have automatically backported this PR to "39-x-y", please check out #50215

trop · 2026-03-11T22:43:04Z

I have automatically backported this PR to "40-x-y", please check out #50216

trop · 2026-03-11T22:43:13Z

I have automatically backported this PR to "41-x-y", please check out #50217

MarshallOfSound requested a review from a team as a code owner March 11, 2026 17:35

MarshallOfSound added semver/patch backwards-compatible bug fixes target/39-x-y PR should also be added to the "39-x-y" branch. target/40-x-y PR should also be added to the "40-x-y" branch. target/41-x-y PR should also be added to the "41-x-y" branch. labels Mar 11, 2026

electron-cation bot added the new-pr 🌱 PR opened recently label Mar 11, 2026

VerteDinde approved these changes Mar 11, 2026

View reviewed changes

nikwen self-requested a review March 11, 2026 18:26

nikwen requested changes Mar 11, 2026

View reviewed changes

nmggithub reviewed Mar 11, 2026

View reviewed changes

nikwen approved these changes Mar 11, 2026

View reviewed changes

patches/squirrel.mac/fix_clean_up_orphaned_staged_updates_before_downloading_new_update.patch Show resolved Hide resolved

VerteDinde added the fast-track 🚅 Indicates that this PR is intended to bypass the 24 hour rule. Needs approval from Releases label Mar 11, 2026

electron-cation bot removed the new-pr 🌱 PR opened recently label Mar 11, 2026

VerteDinde merged commit 6be775a into main Mar 11, 2026
132 of 136 checks passed

VerteDinde deleted the sam/preserve-staged-update-during-prune branch March 11, 2026 22:42

This was referenced Mar 11, 2026

fix: preserve staged update dir when pruning orphaned updates on macOS #50215

Merged

fix: preserve staged update dir when pruning orphaned updates on macOS #50216

Merged

fix: preserve staged update dir when pruning orphaned updates on macOS #50217

Merged

trop bot added in-flight/39-x-y in-flight/40-x-y and removed target/39-x-y PR should also be added to the "39-x-y" branch. target/40-x-y PR should also be added to the "40-x-y" branch. labels Mar 11, 2026

trop bot added in-flight/41-x-y and removed target/41-x-y PR should also be added to the "41-x-y" branch. labels Mar 11, 2026

trop bot added merged/41-x-y PR was merged to the "41-x-y" branch. merged/39-x-y PR was merged to the "39-x-y" branch. merged/40-x-y PR was merged to the "40-x-y" branch. and removed in-flight/41-x-y in-flight/39-x-y in-flight/40-x-y labels Mar 12, 2026

Conversation

MarshallOfSound commented Mar 11, 2026 • edited by nikwen Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test plan

Uh oh!

loc commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

VerteDinde left a comment

Choose a reason for hiding this comment

Uh oh!

nikwen left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

nikwen commented Mar 11, 2026

Uh oh!

MarshallOfSound commented Mar 11, 2026

Uh oh!

nmggithub commented Mar 11, 2026

Uh oh!

nmggithub Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

MarshallOfSound Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

nmggithub Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

nikwen left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

release-clerk bot commented Mar 11, 2026

Uh oh!

trop bot commented Mar 11, 2026

Uh oh!

trop bot commented Mar 11, 2026

Uh oh!

trop bot commented Mar 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

MarshallOfSound commented Mar 11, 2026 •

edited by nikwen

Loading

loc commented Mar 11, 2026 •

edited

Loading

nikwen left a comment •

edited

Loading