feat: add upgrade delay setting for upgrade --all

Author: mdevolde

doc/ReleaseNotes.md

@@ -28,6 +28,10 @@ match criteria that factor into the result ordering. This will prevent them from
 
 ## Minor Features
 
+### Upgrade delay for `winget upgrade --all`
+
+Added the `installBehavior.upgradeDelayInDays` user setting to delay `winget upgrade --all` until an upgrade's `ReleaseDate` is at least N days old. This helps reduce exposure to newly published updates that may be part of a supply chain attack.
+
 ### Preserve installer arguments across export and import
 
 `winget export` now captures the `--override` and `--custom` arguments that were used when a package was originally installed and saves them into the export file. When subsequently running `winget import`, those values are automatically re-applied during installation — `--override` replaces all installer arguments and `--custom` appends extra switches — so packages can be reinstalled with the same customizations without any manual intervention. Both fields are optional and independent of each other; packages without stored installer arguments are unaffected.

doc/Settings.md

@@ -218,6 +218,18 @@ The `maxResumes` setting determines the maximum number of times that a command m
 
 > Note: [The resume behavior is an experimental feature.](#resume)
 
+### Upgrade delay
+
+The `upgradeDelayInDays` setting delays upgrades when using `winget upgrade --all` by skipping upgrades whose manifest `ReleaseDate` is more recent than the configured age. The default value is 0 (disabled).
+
+```json
+    "installBehavior": {
+        "upgradeDelayInDays": 14
+    },
+```
+
+> Note: If the package manifest does not include a valid `ReleaseDate`, the upgrade will be skipped when this setting is enabled. To upgrade anyway, use `winget upgrade <package>` which does not consider this setting, or use `winget upgrade --all --force` which will ignore the age of the upgrade.
+
 ## Uninstall Behavior
 
 The `uninstallBehavior` settings affect the default behavior of uninstalling (where applicable) packages.

schemas/JSON/settings/settings.schema.0.2.json

@@ -215,6 +215,13 @@
           "default": 3,
           "minimum": 1
         },
+        "upgradeDelayInDays": {
+          "description": "Minimum number of days since the manifest ReleaseDate before winget upgrade --all applies the upgrade. Set to 0 to disable.",
+          "type": "integer",
+          "default": 0,
+          "minimum": 0,
+          "maximum": 3650
+        },
         "archiveExtractionMethod": {
           "description": "Controls the behavior how the installer extracts archives. The current two supported values are 'shellApi' and 'tar'. 'shellApi' uses the Windows Shell API to extract archives. 'tar' uses the tar command to extract archives.",
           "type": "string",

src/AppInstallerCLICore/Resources.h

@@ -796,6 +796,7 @@ namespace AppInstaller::CLI::Resource
         WINGET_DEFINE_RESOURCE_STRINGID(UpgradeCommandShortDescription);
         WINGET_DEFINE_RESOURCE_STRINGID(UpgradeDifferentInstallTechnology);
         WINGET_DEFINE_RESOURCE_STRINGID(UpgradeDifferentInstallTechnologyInNewerVersions);
+        WINGET_DEFINE_RESOURCE_STRINGID(UpgradeDelaySkippedCount);
         WINGET_DEFINE_RESOURCE_STRINGID(UpgradeInstallTechnologyMismatchCount);
         WINGET_DEFINE_RESOURCE_STRINGID(UpgradeIsPinned);
         WINGET_DEFINE_RESOURCE_STRINGID(UpgradePinnedByUserCount);

src/AppInstallerCLICore/Workflows/UpdateFlow.cpp

@@ -8,6 +8,7 @@
 #include <winget/ManifestComparator.h>
 #include <winget/PinningData.h>
 #include <winget/PackageVersionSelection.h>
+#include <ctime>
 
 using namespace AppInstaller::Repository;
 using namespace AppInstaller::Repository::Microsoft;
@@ -17,6 +18,75 @@ namespace AppInstaller::CLI::Workflow
 {
     namespace
     {
+        std::optional<std::chrono::system_clock::time_point> TryParseISO8601Date(std::string_view value)
+        {
+            // YYYY-MM-DD is the expected format
+            if (value.size() < 10)
+            {
+                return {};
+            }
+
+            auto toInt = [](std::string_view sv) -> std::optional<int>
+            {
+                int result = 0;
+                for (char c : sv)
+                {
+                    if (c < '0' || c > '9')
+                    {
+                        return {};
+                    }
+                    result = (result * 10) + (c - '0');
+                }
+                return result;
+            };
+
+            auto year = toInt(value.substr(0, 4));
+            auto month = toInt(value.substr(5, 2));
+            auto day = toInt(value.substr(8, 2));
+
+            if (!year || !month || !day || value[4] != '-' || value[7] != '-')
+            {
+                return {};
+            }
+
+            if (*month < 1 || *month > 12 || *day < 1 || *day > 31)
+            {
+                return {};
+            }
+
+            std::tm tm{};
+            tm.tm_year = *year - 1900;
+            tm.tm_mon = *month - 1;
+            tm.tm_mday = *day;
+            tm.tm_hour = 0;
+            tm.tm_min = 0;
+            tm.tm_sec = 0;
+
+            time_t utcTime = _mkgmtime(&tm);
+            if (utcTime == static_cast<time_t>(-1))
+            {
+                return {};
+            }
+
+            return std::chrono::system_clock::from_time_t(utcTime);
+        }
+
+        bool IsUpgradeEligibleByDelay(std::string_view releaseDate, std::chrono::hours upgradeDelay)
+        {
+            if (upgradeDelay <= std::chrono::hours{ 0 })
+            {
+                return true;
+            }
+
+            auto parsed = TryParseISO8601Date(releaseDate);
+            if (!parsed)
+            {
+                return false;
+            }
+
+            return (std::chrono::system_clock::now() - *parsed) >= upgradeDelay;
+        }
+
         bool IsUpdateVersionAvailable(const Utility::Version& installedVersion, const Utility::Version& updateVersion)
         {
             return installedVersion < updateVersion;
@@ -217,6 +287,9 @@ namespace AppInstaller::CLI::Workflow
         int packagesWithUnknownVersionSkipped = 0;
         int packagesThatRequireExplicitSkipped = 0;
         int packagesSkippedInstallTechnologyMismatch = 0;
+        int packagesSkippedByUpgradeDelay = 0;
+        const auto upgradeDelay = Settings::User().Get<Settings::Setting::UpgradeDelayInDays>();
+        const bool ignoreUpgradeDelay = context.Args.Contains(Execution::Args::Type::Force);
 
         for (const auto& match : matches)
         {
@@ -256,6 +329,36 @@ namespace AppInstaller::CLI::Workflow
                 continue;
             }
 
+            if (!ignoreUpgradeDelay && upgradeDelay > std::chrono::hours{ 0 })
+            {
+                std::string_view releaseDate;
+                if (updateContext.Contains(Execution::Data::Installer))
+                {
+                    const auto& installer = updateContext.Get<Execution::Data::Installer>();
+                    if (installer.has_value() && !installer->ReleaseDate.empty())
+                    {
+                        releaseDate = installer->ReleaseDate;
+                    }
+                }
+
+                if (releaseDate.empty() && updateContext.Contains(Execution::Data::Manifest))
+                {
+                    const auto& manifest = updateContext.Get<Execution::Data::Manifest>();
+                    if (!manifest.DefaultInstallerInfo.ReleaseDate.empty())
+                    {
+                        releaseDate = manifest.DefaultInstallerInfo.ReleaseDate;
+                    }
+                }
+
+                if (!IsUpgradeEligibleByDelay(releaseDate, upgradeDelay))
+                {
+                    AICLI_LOG(CLI, Info, << "Skipping " << match.Package->GetProperty(PackageProperty::Id)
+                        << " as its selected upgrade does not meet the upgrade delay requirement");
+                    ++packagesSkippedByUpgradeDelay;
+                    continue;
+                }
+            }
+
             // Filter out packages that require explicit upgrade.
             // User-defined pins are handled when selecting the version to use.
             auto installedMetadata = updateContext.Get<Execution::Data::InstalledPackageVersion>()->GetMetadata();
@@ -314,6 +417,12 @@ namespace AppInstaller::CLI::Workflow
             AICLI_LOG(CLI, Info, << packagesSkippedInstallTechnologyMismatch << " package(s) skipped due to install technology mismatch");
             context.Reporter.Info() << Resource::String::UpgradeInstallTechnologyMismatchCount(packagesSkippedInstallTechnologyMismatch) << std::endl;
         }
+
+        if (packagesSkippedByUpgradeDelay > 0)
+        {
+            AICLI_LOG(CLI, Info, << packagesSkippedByUpgradeDelay << " package(s) skipped due to upgrade delay setting");
+            context.Reporter.Info() << Resource::String::UpgradeDelaySkippedCount(packagesSkippedByUpgradeDelay) << std::endl;
+        }
     }
 
     void SelectSinglePackageVersionForInstallOrUpgrade::operator()(Execution::Context& context) const

src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw

@@ -1389,6 +1389,10 @@ Please specify one of them using the --source option to proceed.</value>
     <value>{0} package(s) are pinned and need to be explicitly upgraded.</value>
     <comment>{Locked="{0}"} {0} is a placeholder that is replaced by an integer number of packages that require explicit upgrades.</comment>
   </data>
+  <data name="UpgradeDelaySkippedCount" xml:space="preserve">
+    <value>{0} package(s) were skipped due to the configured upgrade delay. To upgrade them anyway, upgrade them individually or use --force.</value>
+    <comment>{Locked="{0}"} {0} is a placeholder that is replaced by an integer number of packages skipped for this reason during winget upgrade --all.</comment>
+  </data>
   <data name="InvalidArgumentWithoutQueryError" xml:space="preserve">
     <value>The arguments provided can only be used with a query.</value>
   </data>

src/AppInstallerCLITests/AppInstallerCLITests.vcxproj

@@ -727,6 +727,18 @@
     <CopyFileToFolders Include="TestData\UpdateFlowTest_Exe.yaml">
       <DeploymentContent>true</DeploymentContent>
     </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\UpgradeDelayTest_Exe_Eligible_Install.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\UpgradeDelayTest_Exe_Eligible_Update.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\UpgradeDelayTest_Exe_TooRecent_Install.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\UpgradeDelayTest_Exe_TooRecent_Update.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
     <CopyFileToFolders Include="TestData\UpdateFlowTest_Exe_ARPInstallerType.yaml">
       <DeploymentContent>true</DeploymentContent>
     </CopyFileToFolders>

src/AppInstallerCLITests/TestData/UpgradeDelayTest_Exe_Eligible_Install.yaml

@@ -0,0 +1,20 @@
+# yaml-language-server: $schema=https://aka.ms/winget-manifest.singleton.1.1.0.schema.json
+
+PackageIdentifier: AppInstallerCliTest.TestExeDelayEligible
+PackageVersion: 1.0.0.0
+PackageLocale: en-US
+Publisher: Microsoft Corporation
+PackageName: AppInstaller Test Exe Installer (Delay Eligible)
+License: Test
+InstallerType: exe
+InstallerSwitches:
+  Upgrade: /update
+  SilentWithProgress: /silentwithprogress
+  Silent: /silence
+Installers:
+  - Architecture: x64
+    InstallerUrl: https://ThisIsNotUsed
+    InstallerSha256: 65DB2F2AC2686C7F2FD69D4A4C6683B888DC55BFA20A0E32CA9F838B51689A3B
+
+ManifestType: singleton
+ManifestVersion: 1.1.0

src/AppInstallerCLITests/TestData/UpgradeDelayTest_Exe_Eligible_Update.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://aka.ms/winget-manifest.singleton.1.1.0.schema.json
+
+PackageIdentifier: AppInstallerCliTest.TestExeDelayEligible
+PackageVersion: 2.0.0.0
+PackageLocale: en-US
+Publisher: Microsoft Corporation
+PackageName: AppInstaller Test Exe Installer (Delay Eligible)
+License: Test
+ReleaseDate: 2000-01-01
+InstallerType: exe
+InstallerSwitches:
+  Upgrade: /update
+  SilentWithProgress: /silentwithprogress
+  Silent: /silence
+Installers:
+  - Architecture: x64
+    InstallerUrl: https://ThisIsNotUsed
+    InstallerSha256: 65DB2F2AC2686C7F2FD69D4A4C6683B888DC55BFA20A0E32CA9F838B51689A3B
+
+ManifestType: singleton
+ManifestVersion: 1.1.0

src/AppInstallerCLITests/TestData/UpgradeDelayTest_Exe_TooRecent_Install.yaml

@@ -0,0 +1,20 @@
+# yaml-language-server: $schema=https://aka.ms/winget-manifest.singleton.1.1.0.schema.json
+
+PackageIdentifier: AppInstallerCliTest.TestExeDelayTooRecent
+PackageVersion: 1.0.0.0
+PackageLocale: en-US
+Publisher: Microsoft Corporation
+PackageName: AppInstaller Test Exe Installer (Delay Too Recent)
+License: Test
+InstallerType: exe
+InstallerSwitches:
+  Upgrade: /update
+  SilentWithProgress: /silentwithprogress
+  Silent: /silence
+Installers:
+  - Architecture: x64
+    InstallerUrl: https://ThisIsNotUsed
+    InstallerSha256: 65DB2F2AC2686C7F2FD69D4A4C6683B888DC55BFA20A0E32CA9F838B51689A3B
+
+ManifestType: singleton
+ManifestVersion: 1.1.0