From 6ef1029bc439e079eacedf6eaaad68b0b82b9497 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jason=20K=C3=B6lker?= <jason@koelker.net>
Date: Fri, 9 Jan 2026 05:16:27 +0000
Subject: [PATCH] fix: prevent auto-update from downgrading prerelease/dist-tag
 versions (#615)

* fix: prevent auto-update from downgrading prerelease/dist-tag versions

The auto-update checker was incorrectly updating pinned prerelease versions
(e.g., 3.0.0-beta.1) and dist-tags (e.g., @beta) to the stable latest version
from npm, effectively downgrading users who opted into beta.

Added isPrereleaseOrDistTag() check that skips auto-update when:
- Version contains '-' (prerelease like 3.0.0-beta.1)
- Version is a dist-tag (non-semver like beta, next, canary)

Fixes #613

* refactor: export version helpers and import in tests

Address review feedback: export isPrereleaseVersion, isDistTag, and
isPrereleaseOrDistTag from index.ts and import them in tests instead
of duplicating the logic.
---
 src/hooks/auto-update-checker/index.test.ts | 153 ++++++++++++++++++++
 src/hooks/auto-update-checker/index.ts      |  25 +++-
 2 files changed, 175 insertions(+), 3 deletions(-)
 create mode 100644 src/hooks/auto-update-checker/index.test.ts

diff --git a/src/hooks/auto-update-checker/index.test.ts b/src/hooks/auto-update-checker/index.test.ts
new file mode 100644
index 000000000..a2309dd0f
--- /dev/null
+++ b/src/hooks/auto-update-checker/index.test.ts
@@ -0,0 +1,153 @@
+import { describe, test, expect } from "bun:test"
+import { isPrereleaseVersion, isDistTag, isPrereleaseOrDistTag } from "./index"
+
+describe("auto-update-checker", () => {
+  describe("isPrereleaseVersion", () => {
+    test("returns true for beta versions", () => {
+      // #given a beta version
+      const version = "3.0.0-beta.1"
+
+      // #when checking if prerelease
+      const result = isPrereleaseVersion(version)
+
+      // #then returns true
+      expect(result).toBe(true)
+    })
+
+    test("returns true for alpha versions", () => {
+      // #given an alpha version
+      const version = "1.0.0-alpha"
+
+      // #when checking if prerelease
+      const result = isPrereleaseVersion(version)
+
+      // #then returns true
+      expect(result).toBe(true)
+    })
+
+    test("returns true for rc versions", () => {
+      // #given an rc version
+      const version = "2.0.0-rc.1"
+
+      // #when checking if prerelease
+      const result = isPrereleaseVersion(version)
+
+      // #then returns true
+      expect(result).toBe(true)
+    })
+
+    test("returns false for stable versions", () => {
+      // #given a stable version
+      const version = "2.14.0"
+
+      // #when checking if prerelease
+      const result = isPrereleaseVersion(version)
+
+      // #then returns false
+      expect(result).toBe(false)
+    })
+  })
+
+  describe("isDistTag", () => {
+    test("returns true for beta dist-tag", () => {
+      // #given beta dist-tag
+      const version = "beta"
+
+      // #when checking if dist-tag
+      const result = isDistTag(version)
+
+      // #then returns true
+      expect(result).toBe(true)
+    })
+
+    test("returns true for next dist-tag", () => {
+      // #given next dist-tag
+      const version = "next"
+
+      // #when checking if dist-tag
+      const result = isDistTag(version)
+
+      // #then returns true
+      expect(result).toBe(true)
+    })
+
+    test("returns true for canary dist-tag", () => {
+      // #given canary dist-tag
+      const version = "canary"
+
+      // #when checking if dist-tag
+      const result = isDistTag(version)
+
+      // #then returns true
+      expect(result).toBe(true)
+    })
+
+    test("returns false for semver versions", () => {
+      // #given a semver version
+      const version = "2.14.0"
+
+      // #when checking if dist-tag
+      const result = isDistTag(version)
+
+      // #then returns false
+      expect(result).toBe(false)
+    })
+
+    test("returns false for latest (handled separately)", () => {
+      // #given latest tag
+      const version = "latest"
+
+      // #when checking if dist-tag
+      const result = isDistTag(version)
+
+      // #then returns true (but latest is filtered before this check)
+      expect(result).toBe(true)
+    })
+  })
+
+  describe("isPrereleaseOrDistTag", () => {
+    test("returns false for null", () => {
+      // #given null version
+      const version = null
+
+      // #when checking
+      const result = isPrereleaseOrDistTag(version)
+
+      // #then returns false
+      expect(result).toBe(false)
+    })
+
+    test("returns true for prerelease version", () => {
+      // #given prerelease version
+      const version = "3.0.0-beta.1"
+
+      // #when checking
+      const result = isPrereleaseOrDistTag(version)
+
+      // #then returns true
+      expect(result).toBe(true)
+    })
+
+    test("returns true for dist-tag", () => {
+      // #given dist-tag
+      const version = "beta"
+
+      // #when checking
+      const result = isPrereleaseOrDistTag(version)
+
+      // #then returns true
+      expect(result).toBe(true)
+    })
+
+    test("returns false for stable version", () => {
+      // #given stable version
+      const version = "2.14.0"
+
+      // #when checking
+      const result = isPrereleaseOrDistTag(version)
+
+      // #then returns false
+      expect(result).toBe(false)
+    })
+  })
+})
diff --git a/src/hooks/auto-update-checker/index.ts b/src/hooks/auto-update-checker/index.ts
index a7126d91e..923460106 100644
--- a/src/hooks/auto-update-checker/index.ts
+++ b/src/hooks/auto-update-checker/index.ts
@@ -9,6 +9,20 @@ import type { AutoUpdateCheckerOptions } from "./types"
 
 const SISYPHUS_SPINNER = ["·", "•", "●", "○", "◌", "◦", " "]
 
+export function isPrereleaseVersion(version: string): boolean {
+  return version.includes("-")
+}
+
+export function isDistTag(version: string): boolean {
+  const startsWithDigit = /^\d/.test(version)
+  return !startsWithDigit
+}
+
+export function isPrereleaseOrDistTag(pinnedVersion: string | null): boolean {
+  if (!pinnedVersion) return false
+  return isPrereleaseVersion(pinnedVersion) || isDistTag(pinnedVersion)
+}
+
 export function createAutoUpdateCheckerHook(ctx: PluginInput, options: AutoUpdateCheckerOptions = {}) {
   const { showStartupToast = true, isSisyphusEnabled = false, autoUpdate = true } = options
 
@@ -63,7 +77,7 @@ export function createAutoUpdateCheckerHook(ctx: PluginInput, options: AutoUpdat
 }
 
 async function runBackgroundUpdateCheck(
-  ctx: PluginInput, 
+  ctx: PluginInput,
   autoUpdate: boolean,
   getToastMessage: (isUpdate: boolean, latestVersion?: string) => string
 ): Promise<void> {
@@ -100,6 +114,11 @@ async function runBackgroundUpdateCheck(
   }
 
   if (pluginInfo.isPinned) {
+    if (isPrereleaseOrDistTag(pluginInfo.pinnedVersion)) {
+      log(`[auto-update-checker] Skipping auto-update for prerelease/dist-tag: ${pluginInfo.pinnedVersion}`)
+      return
+    }
+
     const updated = updatePinnedVersion(pluginInfo.configPath, pluginInfo.entry, latestVersion)
     if (!updated) {
       await showUpdateAvailableToast(ctx, latestVersion, getToastMessage)
@@ -112,7 +131,7 @@ async function runBackgroundUpdateCheck(
   invalidatePackage(PACKAGE_NAME)
 
   const installSuccess = await runBunInstallSafe()
-  
+
   if (installSuccess) {
     await showAutoUpdatedToast(ctx, currentVersion, latestVersion)
     log(`[auto-update-checker] Update installed: ${currentVersion} → ${latestVersion}`)
@@ -180,7 +199,7 @@ async function showSpinnerToast(ctx: PluginInput, version: string, message: stri
 }
 
 async function showUpdateAvailableToast(
-  ctx: PluginInput, 
+  ctx: PluginInput,
   latestVersion: string,
   getToastMessage: (isUpdate: boolean, latestVersion?: string) => string
 ): Promise<void> {