Skip to content

kyubiware/opencode-update-guard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github/workflows
.github/workflows
 
 
bin
bin
 
 
src
src
 
 
.gitignore
.gitignore
 
 
AGENTS.md
AGENTS.md
 
 
README.md
README.md
 
 
bun.lock
bun.lock
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

opencode-update-guard

An OpenCode plugin that mitigates npm supply chain attack risk by replacing OpenCode's auto-update behavior with a maturity-gated update system.

⚠️ Work in progress. This plugin is early-stage and untested. Use at your own risk.

Why?

OpenCode and its plugins update automatically by default. When a malicious package is published to npm, auto-updaters can pull it in before anyone has time to notice. This plugin replaces that flow with a 3-day maturity cooldown: updates are detected at session start, but only flagged for install once they've been live on npm long enough to be considered safe.

How it works

On every new OpenCode session, Update Guard checks three sources for available updates:

  1. OpenCode CLI (opencode-ai on npm)
  2. Project dependencies (from package.json)
  3. OpenCode plugins (from opencode.json / opencode.jsonc)

For each available update, it looks up the publish time on npm and classifies it:

Status Meaning
Ready to install Published 3+ days ago
Waiting for maturity Published recently, cooldown period not yet elapsed
Age unknown Publish time couldn't be determined

Checks run once per 24 hours (cached in .cache/update-guard-last-check).

Install

npm install -g opencode-update-guard

The postinstall script automatically registers the plugin in your global opencode.json (~/.config/opencode/opencode.json).

Manual setup

If you prefer to register manually, add the plugin to your opencode.json:

{
  "plugin": ["opencode-update-guard"]
}

Output example

**Update Guard** — 3-day maturity cooldown

**Ready to install:**
  - `opencode` 0.4.1 → 0.4.3 (5d 2h old)

**Waiting for maturity:**
  - `some-plugin` 1.0.0 → 1.1.0 (1d 3h old, 1d 21h remaining)

Disabling auto-updates

This plugin reports available updates but doesn't block OpenCode's built-in auto-update mechanism on its own. To fully disable auto-updates, set the following in your opencode.json:

{
  "autoUpdate": false
}

Configuration

Setting Default Description
Maturity cooldown 3 days How long a version must be published before it's considered safe to install
Check frequency 24 hours Minimum time between update checks

These are currently hardcoded. Configurable options may be added in a future release.

License

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.1 Latest
May 12, 2026

Packages

 
 
 

Contributors

Languages