Relevant area(s)
WinGet CLI
Description of the new feature / enhancement
Add an optional user setting installBehavior.upgradeDelayInDays that delays upgrades when running winget upgrade --all by skipping updates whose ReleaseDate is newer than the configured age, reducing exposure to newly published (and so, supply-chain/bug risky) releases.
So, for exemple, if installBehavior.upgradeDelayInDays is set to 5 days, and a new version of Mozilla.Thunderbird was released just yesterday, when running winget upgrade --all, the installation of this upgrade will be delayed until in 4 days.
It is the same idea as this config param from dependabot: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
Proposed technical implementation details
Read installBehavior.upgradeDelayInDays from settings (default: 0).
During winget upgrade --all, for each available upgrade, if installBehavior.upgradeDelayInDays > 0, compare "today" to the package's ReleaseDate (prefer the selected applicable installer’s ReleaseDate, fallback to manifest.DefaultInstallerInfo.ReleaseDate).
If the age is less than the configured delay, skip that upgrade, continue processing the rest, and show a summary indicating how many upgrades were skipped due to the delay (with guidance to upgrade individually to override).
If ReleaseDate is missing/invalid, skip that upgrade in the same way as above.
If the age is more than the configured delay, process that upgrade in a classical way.
Those verifications are located in UpdateAllApplicable, so upgrading a single package is'nt affected by them.
Relevant area(s)
WinGet CLI
Description of the new feature / enhancement
Add an optional user setting
installBehavior.upgradeDelayInDaysthat delays upgrades when runningwinget upgrade --allby skipping updates whoseReleaseDateis newer than the configured age, reducing exposure to newly published (and so, supply-chain/bug risky) releases.So, for exemple, if
installBehavior.upgradeDelayInDaysis set to 5 days, and a new version ofMozilla.Thunderbirdwas released just yesterday, when runningwinget upgrade --all, the installation of this upgrade will be delayed until in 4 days.It is the same idea as this config param from dependabot: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
Proposed technical implementation details
Read
installBehavior.upgradeDelayInDaysfrom settings (default: 0).During
winget upgrade --all, for each available upgrade, ifinstallBehavior.upgradeDelayInDays> 0, compare "today" to the package's ReleaseDate (prefer the selected applicable installer’sReleaseDate, fallback tomanifest.DefaultInstallerInfo.ReleaseDate).If the age is less than the configured delay, skip that upgrade, continue processing the rest, and show a summary indicating how many upgrades were skipped due to the delay (with guidance to upgrade individually to override).
If
ReleaseDateis missing/invalid, skip that upgrade in the same way as above.If the age is more than the configured delay, process that upgrade in a classical way.
Those verifications are located in
UpdateAllApplicable, so upgrading a single package is'nt affected by them.