I think the best solution is opt-out automatic updates, eg…
Minor versions: instantly auto-update.
Major versions:
- Devs push a new major app version.
- Admins are given X months of system notifications.
- They can either one-click update the app or uninstall.
- If no action is taken the app automatically updates.
- Atlassian can auto/manual review the app just before step #4 happens.
Same for converting free>>paid apps but you simply use or extend the existing refund policy if the admin takes no action, and Y months later they decide don’t want to pay for it.
If you think through all possible ways to solve the problem I can’t think of any better:
- simple solution with very few moving parts or complexity.
- all installed marketplace apps will be at most X months out of date.
- the current mess of 90-99% of installs being old/broken will auto fix itself.
- moves complexity away from devs who shouldn’t need to handle this.
- avoids in-code handling of infinite optional permission scopes (Forge current plan
). - gives admins ample opportunity to take action on their own terms.
- includes a final review step to prevent bad actors stuffing scope changes.