winget pin is ignored and package is upgraded anyway

[msoler8785]

Brief description of your issue

I had previously installed the .msi for mRemoteNg which is located here: https://github.com/mRemoteNG/mRemoteNG/releases/tag/v1.77.1

I did not want to upgrade this version so I added a pin using the following commands:

PS C:\> winget pin add mRemoteNG --installed --blocking --verbose
Found mRemoteNG [mRemoteNG.mRemoteNG.Nightly]
Pin added successfully
PS C:\> winget pin list
Name      Id                                     Version      Source    Pin type
--------------------------------------------------------------------------------
mRemoteNG {6cad3681-0b2e-4b2d-89d0-2dff4d35a3de} 1.77.1.27654 Installed Blocking

Checking for upgrades still lists the package as an upgrade candidate:

PS C:\> winget upgrade --include-unknown
Name                   Id                          Version              Available            Source
---------------------------------------------------------------------------------------------------
NVM for Windows        CoreyButler.NVMforWindows   Unknown              1.2.2                winget
VLC media player       VideoLAN.VLC                3.0.20.0             3.0.21               winget
ILSpy                  icsharpcode.ILSpy           8.2.0.7535           9.0.0.7889           winget
mRemoteNG              mRemoteNG.mRemoteNG.Nightly 1.77.1.27654         1.77.3.1784          winget
PowerShell 7.4.6.0-x64 Microsoft.PowerShell        7.4.6.0              7.5.0.0              winget
Spotify                Spotify.Spotify             1.2.53.440.g7b2f582a 1.2.58.498.g6afe77b7 winget
7 upgrades available.

The following packages have an upgrade available, but require explicit targeting for upgrade:
Name    Id              Version  Available Source
-------------------------------------------------
Discord Discord.Discord 1.0.9011 1.0.9184  winget

Furthermore, running the following command upgrades the package to the newer version:

C:\>winget upgrade --all --silent --include-unknown --accept-package-agreements

Steps to reproduce

1. Install the MSI here: https://github.com/mRemoteNG/mRemoteNG/releases/download/v1.77.1/mRemoteNG-Installer-1.77.1.27654.msi
2. Add a pin for the installed package

winget pin add mRemoteNG --installed --blocking --verbose

3. Check for upgrades

winget upgrade --include-unknown

4. Observer the pending update candidate for the package we just pinned.

Expected behavior

The pinned package does not upgrade.

Actual behavior

The pinned package is upgraded to the latest version available.

Environment

PS C:\> winget --info
Windows Package Manager v1.9.25200
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.26100.2894
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.24.25200.0

Winget Directories
-----------------------------------------------------------------------------------------------------------------------
Logs                               %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\Diag…
User Settings                      %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\sett…
Portable Links Directory (User)    %LOCALAPPDATA%\Microsoft\WinGet\Links
Portable Links Directory (Machine) C:\Program Files\WinGet\Links
Portable Package Root (User)       %LOCALAPPDATA%\Microsoft\WinGet\Packages
Portable Package Root              C:\Program Files\WinGet\Packages
Portable Package Root (x86)        C:\Program Files (x86)\WinGet\Packages
Installer Downloads                %USERPROFILE%\Downloads

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Admin Setting                             State
--------------------------------------------------
LocalManifestFiles                        Disabled
BypassCertificatePinningForMicrosoftStore Disabled
InstallerHashOverride                     Disabled
LocalArchiveMalwareScanOverride           Disabled
ProxyCommandLineOptions                   Disabled
DefaultProxy                              Disabled

[denelon]

Just some notes to help with troubleshooting:

The ID in the pin command example above looks like an MSI Product code rather than a WinGet package identifier.

I'm not sure if the version installed via the web has a corresponding manifest in the repository.

I don't know if performing the steps in a different order will address the issue as a workaround or not. Pinning might not work until a strong correlation between the WinGet Package ID and the installed application is made.

[msoler8785]

Just some notes to help with troubleshooting:

The ID in the pin command example above looks like an MSI Product code rather than a WinGet package identifier.

I'm not sure if the version installed via the web has a corresponding manifest in the repository.

I don't know if performing the steps in a different order will address the issue as a workaround or not. Pinning might not work until a strong correlation between the WinGet Package ID and the installed application is made.

I realized that afterwards, that the id seemed to be the product code. It seems the maintainer just started adding WinGet packages, and I don't think the older versions exist in WinGet.

Nevertheless, I think the expected behavior is still the same, since there is a strong enough correlation to upgrade the package.

In other words, whatever mechanism decides it is an upgrade candidate should be the same mechanism that determines if a pinned version matches.