For reference chrome uses open source Omaha installer and update and the others noted use Squirrel. Both can exist in users app data (squirrel only can however as its philosophy is to be user installable without admin.)
Are you sure the others use Squirrel? After it’s maintainer decided to crash out and abandon multiple libraries including Squirrel, I was under the impression it was abandoned?
Squirrel is abandoned for years and still used anyway, often by people who don't realize it's abandoned. It's the default if you use the Electron toolchain, so that's why. It has serious design problems too, like it breaks Windows networks by bloating people's roaming home directories with dozens of independent copies of Chrome which then get backed up, copied around on login etc. Admins loathe it as the whole point of this design is to bypass their ability to manage their own deployments, although they still get the blame when things break, of course.
There's a better way, which I am shamelessly self-promoting in this thread (as it's 100% on topic) - my company makes a tool that can ship self-updating Electron apps and beyond being not abandoned, it's got a lot of really useful features, like being able to do the build and upload of signed updating packages (using the tech MS is pushing here) from Linux CI workers, without needing a Windows license.
It can also do forced updates on launch, which can be helpful for apps where the protocol between client and server changes regularly. And it plays well with corporate Windows deployments. People can install apps locally without needing administrator access but it goes into c:\Program Files
That’s awesome, but keep in mind that the AppData thing is likely a feature and not a bug.
Think about it another way: if they install in AppData, they can likely bypass IT depts and other business bureaucracies and get a foothold somewhere in an organization. It’s absolutely malicious, both in terms of tech and business practices, but it works.
That might have been true a long time ago, but nowadays Windows makes it easy to black/whitelist executables from the home directory with stuff like AppLocker. Meanwhile, the MSIX subsystem lets users install apps safely without needing admin access into c:\Program Files.
So, what Electron does might have been a neat growth hack once, but now it's as likely to hit roadblocks as not (at least on any modern Windows network with a switched-on IT department).
It used to use Omaha. They recently rewrote it and Chrome now uses an installer framework fully maintained in their own tree. It's conceptually similar but cleaned up.
And since the Chrome fork Edge is part of Windows now, this updater already runs on all Windows machines (e.g. the MicrosoftEdgeUpdateTaskMachineUA scheduled task).
They did not even use Windows update for that one.
Can you force Edge to go through Windows Update? They have GPOs for download, but I didn’t see anything like that in there.