ModrinthApp installs unknown software without user intervention

Question

ModrinthApp installs unknown software without user intervention

Closed this issue 6 days ago · 1 comments

knirch commented 7 days ago

Please confirm the following.

I checked the existing issues for duplicate problems
I have tried resolving the issue using the support portal
I have ensured my Modrinth App installation is up to date

What version of the Modrinth App are you using?

0.10.10

What operating systems are you seeing the problem on?

Windows

Describe the bug

The ModrinthApp installs non requested versions of itself unprompted. While today it might be in good faith, this is highly dubious.

It has the latest bugfixes and a small set of additional features
- I did not experience those bugs, but now I'm subject to new code that might be buggy
It has the latest security problems fixed
- That's great, and thoughtful. I'll be sure to go over them and determine if this is a required update
Why would you want to run outdated buggy software?
- I don't. But, I also don't want you to install things on my computer without my consent. If you are compromised, modrinthapp is a good place to inject botnet, wallet scraping, etc etc. It might not even be nefarious, you might have decided that one of the features I use is obsolete and removed it. See NPM supply chain attack and other similar events. See Windows 11 Recall.
These are overreactions, we would never...
- Most likely not, but what about the person that comes after you, when you no longer maintain the project.

I file this because I care, because I like the app. I'm not forced to use it, I'm free to pick something else. I know that.

But, the update window ought to be something along the lines of;

A new version of ModrinthApp is available.
> ChangeLog > Install > Skip (you can find it in Updates if you need it)

and if you're dead set on automatic updates add a checkbox to allow for automatic installs.

It's far more common though that software does /not/ perform automatic updates, and the checkbox is if the user should be notified about new releases.

I do not believe any of this is in bad faith, but, as neither of us can predict the future, I see this as a high security and privacy concern.

(and yes, to reiterate; I'm free to stop using the app, I don't want to, but I know the option is there and that no one is obliged to even consider my report.)

Steps to reproduce

No response

Expected behavior

No response

Additional context

No response

Answer 1 · 2025-11-01T20:01:36.000Z

Modrinth is an online service that requires consistent updates to keep it working as users expect. The updates are not optional