microsoft
`winget list --upgrade-available --include-unknown` shows pinned package as available when it should not
Relevant area(s)
WinGet CLI
Relevant command(s)
winget list
Brief description of your issue
I have a pinned a package since some time ago, and I recently got an "update". However, the update should not be shown as the package was pinned, so I tried to pin it again, but it's already pinned but not possible to remove from normal list.
Steps to reproduce
#--------------------------------------------------
# winget list --upgrade-available --include-unknown
#--------------------------------------------------
Name Id Version Available Source
--------------------------------------------------------
Core Temp 1.18.1 ALCPU.CoreTemp 1.18.1 1.19.5 winget
1 upgrades available.
2 package(s) have pins that prevent upgrade. Use the 'winget pin' command to view and edit pins. Using the --include-pinned argument may show more results.
#--------------------------------------------------
# winget list --upgrade-available --include-unknown --include-pinned
#--------------------------------------------------
Name Id Version Available Source
---------------------------------------------------------------
Core Temp 1.18.1 ALCPU.CoreTemp 1.18.1 1.19.5 winget
Postman x86_64 11.53.3 Postman.Postman 11.53.3 11.69.6 winget
3 upgrades available.
The following packages have an upgrade available, but require explicit targeting for upgrade:
Name Id Version Available Source
-------------------------------------------
MSYS2 MSYS2.MSYS2 20240507 20250830 winget
#--------------------------------------------------
# winget list --upgrade-available --pinned
#--------------------------------------------------
Name Id Version Available Source
---------------------------------------------------------------
Core Temp 1.18.1 ALCPU.CoreTemp 1.18.1 1.19.5 winget
Postman x86_64 11.53.3 Postman.Postman 11.53.3 11.69.6 winget
3 upgrades available.
The following packages have an upgrade available, but require explicit targeting for upgrade:
Name Id Version Available Source
-------------------------------------------
MSYS2 MSYS2.MSYS2 20240507 20250830 winget
[11:36:02] emix@LAPTOP-96RIMVAL C:\mydev\wsl
#--------------------------------------------------
# winget list --upgrade-available --include-pinned
#--------------------------------------------------
Name Id Version Available Source
---------------------------------------------------------------
Core Temp 1.18.1 ALCPU.CoreTemp 1.18.1 1.19.5 winget
Postman x86_64 11.53.3 Postman.Postman 11.53.3 11.69.6 winget
3 upgrades available.
The following packages have an upgrade available, but require explicit targeting for upgrade:
Name Id Version Available Source
-------------------------------------------
MSYS2 MSYS2.MSYS2 20240507 20250830 winget
Expected behavior
That winget list --upgrade-available --include-unknown does not show/list pinned packages.
Actual behavior
Shows pinned packages when it shouldn't.
Environment
Windows Package Manager v1.12.350
Copyright (c) Microsoft Corporation. All rights reserved.
Windows: Windows.Desktop v10.0.26100.6899
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.27.350.0
Winget Directories
-------------------------------------------------------------------------------------------------------------------------------
Logs %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir
User Settings %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json
Portable Links Directory (User) %LOCALAPPDATA%\Microsoft\WinGet\Links
Portable Links Directory (Machine) C:\Program Files\WinGet\Links
Portable Package Root (User) %LOCALAPPDATA%\Microsoft\WinGet\Packages
Portable Package Root C:\Program Files\WinGet\Packages
Portable Package Root (x86) C:\Program Files (x86)\WinGet\Packages
Installer Downloads %USERPROFILE%\Downloads
Configuration Modules %LOCALAPPDATA%\Microsoft\WinGet\Configuration\Modules
Links
---------------------------------------------------------------------------
Privacy Statement https://aka.ms/winget-privacy
License Agreement https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale
Admin Setting State
--------------------------------------------------
LocalManifestFiles Disabled
BypassCertificatePinningForMicrosoftStore Disabled
InstallerHashOverride Disabled
LocalArchiveMalwareScanOverride Disabled
ProxyCommandLineOptions Disabled
DefaultProxy Disabled
I can't rule out that it's not an issue with the package itself (ALCPU.CoreTemp), somehow circumventing the installer versioning.
- https://www.alcpu.com/CoreTemp/ (package host website)
- https://duckduckgo.com/?t=ffab&q=ALCPU.CoreTemp&ia=web (DuckDuckGo showing 3rd find a note mentioning it as possible malware.)
I have not had any issues with this package which is why I pinned it, while some user have issues with the updated version.
Do you see the same behavior if you use
winget upgrade --include-unknown?
Yes
Might be an issue between the ALCPU and MSYS packages and winget.
Thanks to @niStee for pointing this out here.
-
https://github.com/microsoft/winget-pkgs/blob/master/manifests/a/ALCPU/CoreTemp/1.18.1.0/ALCPU.CoreTemp.installer.yaml
-
https://github.com/microsoft/winget-pkgs/blob/master/manifests/m/MSYS2/MSYS2/20250830/MSYS2.MSYS2.installer.yaml
ALCPU:
# Created using wingetcreate 1.5.3.0
# yaml-language-server: $schema=https://aka.ms/winget-manifest.installer.1.10.0.schema.json
PackageIdentifier: ALCPU.CoreTemp
PackageVersion: 1.18.1.0
InstallerLocale: en-US
Platform:
- Windows.Desktop
MinimumOSVersion: 10.0.0.0
InstallerType: inno
Scope: machine
InstallModes:
- interactive
- silent
- silentWithProgress
InstallerSwitches:
Custom: /LANG=en /TASKS="desktopicon,languagepacks"
UpgradeBehavior: install
ProductCode: '{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1'
AppsAndFeaturesEntries:
- DisplayName: Core Temp 1.18.1
ProductCode: '{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1'
Installers:
- Architecture: x86
InstallerUrl: https://www.alcpu.com/CoreTemp/Core-Temp-setup-v1.18.1.0.exe
InstallerSha256: CA7D1365E934B3BD122AB8B0DBD24EF5E0C52471CFCA15921555FC6B244E9AB6
ManifestType: installer
ManifestVersion: 1.10.0
NOTE: The above 🔼 doesn't have the RequireExplicitUpgrade flag, while UpgradeBehavior: install.
MSYS:
# Created with YamlCreate.ps1 Dumplings Mod
# yaml-language-server: $schema=https://aka.ms/winget-manifest.installer.1.10.0.schema.json
PackageIdentifier: MSYS2.MSYS2
PackageVersion: "20250830"
InstallerType: exe
InstallModes:
- interactive
- silentWithProgress
InstallerSwitches:
Silent: install --confirm-command --root "C:\msys64"
SilentWithProgress: install --confirm-command --root "C:\msys64"
InstallLocation: --root "<INSTALLPATH>"
ExpectedReturnCodes:
- InstallerReturnCode: 2
ReturnResponse: installInProgress
- InstallerReturnCode: 3
ReturnResponse: cancelledByUser
UpgradeBehavior: deny
ReleaseDate: 2025-08-30
RequireExplicitUpgrade: true
Installers:
- Architecture: x64
Scope: user
InstallerUrl: https://github.com/msys2/msys2-installer/releases/download/2025-08-30/msys2-x86_64-20250830.exe
InstallerSha256: B54705073678D32686A2CC356BB552363429E6CCBABBFECCB6D3CB7EC101E73B
- Architecture: x64
Scope: machine
InstallerUrl: https://github.com/msys2/msys2-installer/releases/download/2025-08-30/msys2-x86_64-20250830.exe
InstallerSha256: B54705073678D32686A2CC356BB552363429E6CCBABBFECCB6D3CB7EC101E73B
InstallerSwitches:
Custom: AllUsers=true
ElevationRequirement: elevationRequired
ManifestType: installer
ManifestVersion: 1.10.0
But for MSYS here ⬆️, we have the RequireExplicitUpgrade: true flag, while UpgradeBehavior: deny.
Anyway, I have no idea how to work around or proceed.
Is there a way to manually add/set these 2 flags in the package after installation? (I can't find their YAML files on local.)
RequireExplicitUpgrade: trueUpgradeBehavior: deny
Is there a way to manually add/set these 2 flags in the package after installation?
(a) No, for RequireExplicitUpgrade you need to reinstall package with hacked manifest.
(b) Yes, for UpgradeBehavior: deny you (should be able to) use winget pin add --id <PackageId> <-- this issue
Something definitely got broken with winget in the last 1-2 months. Today I got yet another update, that I didn't want to install, and tried (successfully) to pin it. Then when I check for updates, it still shows up. This never happened 2 months ago.
Not sure if related, but it seem the package version logic in winget is broken.
- #5885
A small update. I somehow managed to resolve the issue, by removing the pin and redoing it.
# winget list --upgrade-available --include-unknown
Name Id Version Available Source
---------------------------------------------------------------------------------------------
Core Temp 1.18.1 ALCPU.CoreTemp 1.18.1 1.19.5 winget
osquery osquery.osquery 5.19.0 5.20.0 winget
...
# BUT
# winget pin list
Name Id Version Source Pin type Pinned version
------------------------------------------------------------------------------------------------------------
MSYS2 MSYS2.MSYS2 20240507 winget Pinning
Postman x86_64 11.53.3 Postman.Postman 11.53.3 winget Pinning
Core Temp 1.18.1 {086d343f-8e78-4afc-81ac-d6d414afd8ac}_is1 1.18.1 Installed Gating 1.18.1
osquery {eb16515b-4544-4123-871e-ff8ff18fc4b8} 5.19.0 Installed Pinning
Now what the hexx is: {086d343f-8e78-4afc-81ac-d6d414afd8ac}_is1 ??
I've never seen that _is1 extension before!
Originally, I pinned the package with:
winget pin add --installed -e 'ALCPU.CoreTemp' -v '1.18.1' --force
I then removed and re-added the pins:
# winget pin remove --installed -e 'ALCPU.CoreTemp'
# winget pin add -e 'ALCPU.CoreTemp'
# winget pin remove --installed -e '{eb16515b-4544-4123-871e-ff8ff18fc4b8}'
# winget pin add -e 'osquery.osquery'
# winget pin list
Name Id Version Source Pin type
---------------------------------------------------------------
MSYS2 MSYS2.MSYS2 20240507 winget Pinning
Postman x86_64 11.53.3 Postman.Postman 11.53.3 winget Pinning
Core Temp 1.18.1 ALCPU.CoreTemp 1.18.1 winget Pinning
osquery osquery.osquery 5.19.0 winget Pinning
And now everything seem to be as it should.