Greasy Fork

I have just updated one of my own scripts and hit the update / reinstall button on GreasyFork which Tampermonkey (v4.19.0 in Firefox 119.0.1 64-bit) correctly intercepts. However it is showing new lines in the header block which I did not add, and are not visible in the "Code" tab of my script as hosted on GreasyFork, specifically `@downloadURL` and `@updateURL`.

I have never seen this happen before today, and I find it disturbing that GreasyFork is distributing an edited version of my code while hiding those changes from myself and anyone auditing the code before choosing to install it. This now means that we cannot trust what the "Code" tab on any userscript shows us, as GreasyFork distribute a completely different content to our browser extensions when installing or updating.

Please stop editing our code, what the user submits is what should be saved. Also bring the website back to accurately displaying the same code that users submit and which is distributed to browser extensions, instead of hiding secret edits that we did not consent to.

Greasy Fork has always edited the code. This has been documented for years at https://greasyfork.org/en/help/rewriting, linked to from the help docs at https://greasyfork.org/en/help.

About a week ago, I updated the install buttons on the site to point to the code on update.greasyfork.org instead of directly on greasyfork.org. This was done to reduce the load of update checks on the server; the subdomain allows the server to handle the requests differently and more efficiently.

To get people who installed a script prior to a week ago (from greasyfork.org directly) to start using update.greasyfork.org for update checks, I modified the rewrite logic. Instead of removing any @downloadURL and @updateURL present, forcing the script to be updated from the same URL it was installed, it now adds them and points to the canonical code URLs. I do need to update that document to describe the new behaviour.

That's kind of my point though. That page doesn't match what is happening, and the code hosted here on GreasyFork (shown on the "Code" tab) is not being rewritten - only the code sent to browser extensions is different. My scripts all worked and updated from GreasyFork just fine for years without that being force-inserted behind my back.

Not to mention that the user.js file is being modified while the meta.js file is not. What is the point of the meta.js file if it isn't also having the new @downloadURL and @updateURL forced into it? In fact why can't they be provided as metadata instead of covertly inserted into code in a way that can't be audited by the author, never mind by users, before installing / updating scripts?

The way this is being handled and implemented feels very dodgy and suspicious, even though it probably isn't. Very poor optics and user experience.

The meta.js file is used by script managers only to check the version. If the version provided is different, then they download the user.js file and get the updated URLs.

These changes are necessary to deal with the load caused by millions of users doing update checks every day. Rewriting the code is not new - it has been done since the inception of the site, it's been documented, and the source is available for you to peruse if you like.

The meta.js file is used by script managers only to check the version. If the version provided is different, then they download the user.js file and get the updated URLs.

These changes are necessary to deal with the load caused by millions of users doing update checks every day. Rewriting the code is not new - it has been done since the inception of the site, it's been documented, and the source is available for you to peruse if you like.

I think what he means is that, the code shown in code tab does not reflect the code to be installed.

The actual code to be installed shall be shown in code tab (or such option shall exist) .