Is it possible to disable updates in PWA?

I have a PWA that is a note-taking application. The source code is open. Note data is stored on the user's device.

Is it possible to make it so that if I (the developer) change the code, users will still open the installed version, and I will not be able to force an update of the PWA?

I tried caching everything, but currently, when the PWA opens, it immediately sends a get request to service.js, which returns 304 (the data has not changed). Now I can just rewrite it and force an update of the user's application by adding a script that (for example) sends the user's notes to my server. To refresh, the user simply needs to close the application and open it again. Of course, with such a “vulnerability,” no one will use my application.

I need to somehow guarantee that I cannot do anything without the user's knowledge. Are there any ways to do this?

Here is an example of the first version of PWA, which does not imply an update: index.html

<body> <p>pwa</p> <script> if ('serviceWorker' in navigator) { window.addEventListener('load', () => { navigator.serviceWorker.register('sw.js'); }); } </script> </body>

sw.js

const CACHE_NAME = 'pwa-cache-v1'; self.addEventListener('install', (e) => { e.waitUntil( caches.open(CACHE_NAME).then((cache) => { return cache.addAll(['./', './index.html', './manifest.json','./192x192.jpg','./512x512.jpg','./favicon.ico']); }) ); }); self.addEventListener('fetch', (e) => { e.respondWith( caches.match(e.request).then((response) => { return response || fetch(e.request); }) ); });

Here is a forced update for the user: sw.js

const CACHE_NAME = 'pwa-cache-v2'; self.addEventListener('install', (e) => { self.skipWaiting(); e.waitUntil( caches.open(CACHE_NAME).then((cache) => { return cache.addAll(['./', './index.html', './manifest.json']); }) ); }); self.addEventListener('activate', (e) => { e.waitUntil( caches.keys().then((keys) => { return Promise.all( keys.map((key) => { if (key !== CACHE_NAME) { return caches.delete(key); } }) ); }).then(() => { return self.clients.claim(); }) ); });

The user did not clear the cache or delete the application, but simply closed and reopened it—now they have the new version.

Imagine that you are using a messenger with end-to-end encryption. Its source code is published, and you can see that ONLY encrypted messages are sent to the server. But at some point, the app will update, and now encryption keys are also sent along with your messages. To prevent this from happening, you need to disable the ability to update the app.

I'll say it again: I don't want the PWA to be able to update. I need to make it as safe as possible for the user.