diff --git a/src/config.sh b/src/config.sh
index eeef870..110bd86 100644
--- a/src/config.sh
+++ b/src/config.sh
@@ -28,7 +28,6 @@ fi
 
 # resolve relative pkg_path
 PKG_PATH="$(resolve_path "$PKG_PATH" "$config_path")"
-[ -z "$UPDATE_REMOVE" ] && UPDATE_REMOVE=true
 
 root_check && [ -z "$opt_f" ] && [ "$ALLOW_ROOT" != "true" ] && echo "Cannot run as root" >&2 && exit 10
 
diff --git a/src/env.sh b/src/env.sh
index 8eee23d..30b2a17 100644
--- a/src/env.sh
+++ b/src/env.sh
@@ -2,3 +2,5 @@
 
 config_path=/etc/zpkg
 fname="$(basename "$0")"
+ALLOW_ROOT=false
+UPDATE_REMOVE=true
diff --git a/src/fetch.sh b/src/fetch.sh
index 98fb9e4..7561597 100644
--- a/src/fetch.sh
+++ b/src/fetch.sh
@@ -11,6 +11,7 @@ fetch_package()
 # $1 = prefix
 fetch_pkglist()
 {
+  (
   cd "$PKG_PATH"
   $1 mv pkglist pkglist_bak 2>/dev/null
   if ! $1 wget "$HTTP_ADDRESS/pkglist" -q --show-progress -O pkglist 2>&1
@@ -22,4 +23,5 @@ fetch_pkglist()
     $1 rm pkglist_bak 2>/dev/null
     return 0
   fi
+  )
 }
diff --git a/src/install.sh b/src/install.sh
index d6d58cc..e586e83 100644
--- a/src/install.sh
+++ b/src/install.sh
@@ -28,6 +28,7 @@ copy_files() {
 # $1 = package , $2 = prefix
 install_package()
 {
+  [ "$1" = "$fname" ] && [ -z "$opt_R" ] && _self_update=y && return 0
   echo "Installing $1"
   tmpdir="/tmp/zpkg_$(random_string 5)"
   mkdir -p "$tmpdir"
diff --git a/src/main.sh b/src/main.sh
index cdeb93c..9bdaa77 100644
--- a/src/main.sh
+++ b/src/main.sh
@@ -132,3 +132,5 @@ deploy)
   ;;
 *) usage && exit 1 ;;
 esac
+
+[ -n "$_self_update" ] && gen_self_update && exec "$_tmpzpkg" -R install zpkg
diff --git a/src/options.sh b/src/options.sh
index a9173ed..8d8c7d3 100644
--- a/src/options.sh
+++ b/src/options.sh
@@ -1,25 +1,15 @@
 #!/bin/sh
 
-unset opt_f
+unset opt_f opt_R
 
-while getopts ":hc:f" opt;
+while getopts ":hc:fR" opt;
 do
   case $opt in
-    h)
-      usage
-      exit 0
-      ;;
-    c)
-      config_path="$OPTARG"
-      ;;
-    f)
-      opt_f="y"
-      ;;
-    \?)
-      echo "Uknown option: $OPTARG"
-      usage
-      exit 1
-      ;;
+    h) usage ; exit 1 ;;
+    c) config_path="$OPTARG" ;;
+    f) opt_f=y ;;
+    R) opt_R=y ;;
+    \?) echo "Uknown option: $OPTARG" ; usage ; exit 1 ;;
     esac
 done
 
diff --git a/src/print.sh b/src/print.sh
index 172624a..9d92387 100644
--- a/src/print.sh
+++ b/src/print.sh
@@ -24,6 +24,7 @@ Options:
   -h          Display this help
   -c <path>   Custom config path. Default /etc/zpkg
   -f          Force running when root
+  -R          Don't do self-update mitigation
 
 Config (zpkg.conf):
   SSH_ADDRESS         SSH access for deploy
diff --git a/src/remove.sh b/src/remove.sh
index 0c53b11..9fd4bdc 100644
--- a/src/remove.sh
+++ b/src/remove.sh
@@ -11,6 +11,7 @@ delete_files()
 # $1 = package , $2 = prefix
 remove_package()
 {
+  (
   cd "$PKG_PATH"
   archive="$(pwd)/$1.tar.$extension"
   if [ ! -f "$archive" ] || ! grep -q "^$1 " installed
@@ -26,4 +27,5 @@ remove_package()
 
   $2 rm "$archive" 2>/dev/null
   $2 sed -i "/^$1 /d" installed
+  )
 }
diff --git a/src/upgrade.sh b/src/upgrade.sh
index 4637354..ffb0678 100644
--- a/src/upgrade.sh
+++ b/src/upgrade.sh
@@ -14,6 +14,7 @@ to_delete()
 # $1 = package , $2 = prefix
 upgrade_package()
 {
+  [ "$1" = "$fname" ] && [ -z "$opt_R" ] && _self_update=y && return 0
   echo "Updating $1"
   tmpdir="/tmp/zpkg_$(random_string 5)"
   mkdir -p "$tmpdir"
@@ -36,3 +37,15 @@ upgrade_package()
   rm -rd "$tmpdir" 2>/dev/null
   return $ret
 }
+
+## self upgrading mitigation
+
+unset _self_update
+_tmpzpkg="/tmp/zpkg_bin_$(random_string 5)"
+gen_self_update()
+{
+  # copy current file
+  cp "$0" "$_tmpzpkg" || return $?
+  # make new script self-delete
+  echo 'rm -f "$0"' >> "$_tmpzpkg"
+}
diff --git a/src/view.sh b/src/view.sh
index 19043c4..bfbf0b2 100644
--- a/src/view.sh
+++ b/src/view.sh
@@ -2,9 +2,11 @@
 
 deps()
 {
+  (
   cd "$PKG_PATH"
   l=$(grep "^$1 " pkglist) || return $?
   echo "$l" | cut -d' ' -f3-
+  )
 }
 
 # $1 = pkg file
@@ -15,6 +17,7 @@ desc() {
 resolve_packages()
 {
   RET=0
+  (
   cd "$PKG_PATH"
   for I in $*
   do
@@ -27,6 +30,7 @@ resolve_packages()
     fi
   done
   return $RET
+  )
 }
 
 # env: INCLUDE_PACKAGES
@@ -45,9 +49,10 @@ resolve_deps()
 
 is_installed()
 {
+  (
   cd "$PKG_PATH"
   grep -q "^$1 " installed 2>/dev/null
-  return $?
+  )
 }
 
 # $1 = file
@@ -58,11 +63,12 @@ view_package_file() {
 
 # $1 = package name
 view_package() {
-  cd "$PKG_PATH" && view_package_file "$1.tar.$extension"
+  ( cd "$PKG_PATH" && view_package_file "$1.tar.$extension" )
 }
 
 removed_packages()
 {
+  (
   cd "$PKG_PATH"
   cat installed 2>/dev/null | while read -r in
   do
@@ -70,10 +76,12 @@ removed_packages()
     rem=$(grep "^$name " pkglist | awk '{print $2}')
     [ -z "$rem" ] && echo $name
   done
+  )
 }
 
 outdated_packages()
 {
+  (
   cd "$PKG_PATH"
   cat installed 2>/dev/null | while read -r in
   do
@@ -82,4 +90,5 @@ outdated_packages()
     rem=$(grep "^$name " pkglist | awk '{print $2}')
     [ -n "$rem" ] && [ "$loc" -lt "$rem" ] && echo $name
   done
+  )
 }