Context: PR #974 added per-row software Update/Uninstall on the device-detail Software tab. The API payload schema (apps/api/src/routes/devices/softwareActions.ts) accepts an optional version for all platforms.
Gap: the agent only honors version on Windows — updateSoftwareWindows prepends a winget --version <v> variant (agent/internal/remote/tools/software_update.go:98-116). updateSoftwareMacOS and updateSoftwareLinux ignore it and always upgrade to the newest available. So a user submitting a version pin against a macOS (or Linux) endpoint silently gets the latest version instead of the requested one, with no error or warning.
Why it matters: version pinning reads as a compliance/control feature. Silently upgrading past the pin on non-Windows endpoints is a surprising no-op that could violate an intended hold.
Options:
- Reject
version with a 422 when the target device's OS can't honor it (requires the route to know device OS — already loaded via getDeviceWithOrgCheck).
- Or disable the version field in the UI for macOS/Linux rows with an explanatory tooltip, mirroring how Apple-published rows already disable the buttons.
- Or have the agent return an explicit "version pinning unsupported on " error instead of succeeding.
Refs: agent/internal/remote/tools/software_update.go:121 (macOS), :132 (Linux); apps/api/src/routes/devices/softwareActions.ts:42-51 (version schema). Follow-up to #974.
Secondary (minor, pre-existing): the "already up to date" success-mapping in runUpdateAttempts (software_update.go:180-188) is English-string matching, inherited from the uninstall path — a non-English endpoint could report a spurious failure. Low priority; noting for whenever the success-detection is revisited.
Context: PR #974 added per-row software Update/Uninstall on the device-detail Software tab. The API payload schema (
apps/api/src/routes/devices/softwareActions.ts) accepts an optionalversionfor all platforms.Gap: the agent only honors
versionon Windows —updateSoftwareWindowsprepends a winget--version <v>variant (agent/internal/remote/tools/software_update.go:98-116).updateSoftwareMacOSandupdateSoftwareLinuxignore it and always upgrade to the newest available. So a user submitting a version pin against a macOS (or Linux) endpoint silently gets the latest version instead of the requested one, with no error or warning.Why it matters: version pinning reads as a compliance/control feature. Silently upgrading past the pin on non-Windows endpoints is a surprising no-op that could violate an intended hold.
Options:
versionwith a 422 when the target device's OS can't honor it (requires the route to know device OS — already loaded viagetDeviceWithOrgCheck).Refs:
agent/internal/remote/tools/software_update.go:121(macOS),:132(Linux);apps/api/src/routes/devices/softwareActions.ts:42-51(version schema). Follow-up to #974.Secondary (minor, pre-existing): the "already up to date" success-mapping in
runUpdateAttempts(software_update.go:180-188) is English-string matching, inherited from the uninstall path — a non-English endpoint could report a spurious failure. Low priority; noting for whenever the success-detection is revisited.