Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Users should be able to check for updates without automatically installing them #1455

sizzlemctwizzle opened this Issue · 14 comments

7 participants


Issue #1442 makes updates install automatically when they are found. You can disable this for all extensions and scripts, but you can't enable/disable this on a per-script basis like you can with extensions.


You can elect to not check for updates -- and thus not install updates, because none will ever be ever found. Is this insufficient?


Security mostly. You might want to review updates before actually installing them (especially if you have "require https" disabled). In this case, being able to see which scripts have available updates would still be very useful.

Also, I have few scripts that I have customized locally. I made my gm_scripts folder a git repo. If I noticed one of these scripts had an update, I could create and checkout a new branch, manually update the script and then merge it with my modified version.

I made my gm_scripts folder a git repo. If I noticed one of these scripts had an update, ...

Good point... great way to potentially destroy a development suggestedfix/master/trunk as well that hasn't been suggestedfixed/published/committed/checkedin yet and GM updates during testing phase. Automatic installation should be easily user selectable for devs at minimum.

Typically I usually run at least one version ahead of what I publish but I also like to check update capability in between on occasion.



Checking for updates is already optional globally, and optional per script. IMO that's enough, I vote wontfix.


Someone asked for my opinion here, and here it is.

I'm not too sure what the current situation is, but I can +1 auto-updates as the default method for updating as the majority generally don't care (or understand) the code being updated.

As far as configuration details goes, a simple enable / disable toggle for each script is more than enough. Those who genuinely care about diffs between each version know to check the file on disk and the authors change-log. I think the added complexity of options beyond this would be distracting.


The argumentative tone in thread is raising my blood pressure. I've deleted posts, to bring it back down. Please refrain from arguments.

Everyone is welcome to express their own opinion. Discussion of ideas is also of course welcome. But be civil.


I am in favor of somekind of warning (like an option in the greasemonkey menu) that says which scripts have new version.
But I am completely against the auto-install of updates (not even an option/metadata/etc for enabling this). If this really comes for the new GM, I will stop using every scripts NOT made by me.
And I don't know how the process of checking for new version would work to local scripts that have not been uploaded anywhere or that have been uploaded to sites other than


And I don't know how the process of checking for new version would work to local scripts that have not been uploaded anywhere or that have been uploaded to sites other than

GM keeps track of urls (except local locations) where user scripts are installed from and uses this url to check for updates and install updates that are found. There are metadata keys to override this behavior. More details here.

Edit: Perhaps we can open a topic on list to discuss this since there are many more people who follow that. I'd be nice to get more opinions.



At a minimum, I would like to see some kind of ability to turn off the "auto-installation" of any given GM scripts (along with a global setting to disable all auto-install script updates). This is not to say I would not want to be notified of all updates, but rather the ability to see when (and what) is happening.

My ideal preference on this issue would be that users be required to "opt-in" to receive automatically installed script updates. To me, this seems like a major security hole, and something personally I would never want enabled for GM. Over the last couple years, I have witnessed a number of other script "authors" insert extremely malicious code snippets after a large usage database had been established. This feature (if turned on) would only open the door wider for this kind of ill-intent.


I created a thread on the google group. We should probably continue this discussion there so more voices can be heard.


Any code forthcoming for this issue?


Just recording this somewhere because I keep forgetting about it. Default Firefox behavior for extensions:

  • Automatically seek, and install when found, extension updates. (Caveat: there are stronger security requirements for this to work.)
  • The user may toggle the global (default on) "Update Add-ons automatically" preference (extensions.update.autoUpdateDefault).
  • The user may toggle the per-script (via the "Show More Information" page) automatic updates preference (applyBackgroundUpdates in extensions.sqlite).

If either of those preferences are off, updates when found will show in the "available updates" tab (which is only visible when non-empty).

@arantius arantius closed this in 2109ae7

If you're interested in script auto-updating please check out the 0.9.18beta1 build:

(Open the 'development channel' section at the bottom of the page.) Feedback to greasemonkey-dev is great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.