Skip to content

Commit bf527ad

Browse files
alerizzoclaude
andauthored
feat: add npm-style update-available notice (#24)
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent d813bb6 commit bf527ad

9 files changed

Lines changed: 1200 additions & 22 deletions

File tree

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
---
2+
"@codacy/codacy-cloud-cli": minor
3+
---
4+
5+
Add an npm-style "update available" notice. When a newer version is published, the
6+
CLI prints a one-time upgrade hint to stderr — it never auto-updates. The notice
7+
only shows with the default `--output table` in an interactive terminal; it is
8+
suppressed for `--output json`, when piped, in CI, and under `npx`/npm scripts, so
9+
machine-readable stdout stays byte-clean. The version lookup runs in a non-blocking
10+
background process (at most once a day) and never affects timing or exit codes. Opt
11+
out via `CODACY_DISABLE_UPDATE_CHECK`, `NO_UPDATE_NOTIFIER`, or `--no-update-notifier`.
12+
A package.json `overrides` entry pins `update-notifier`'s transitive `got`/`package-json`
13+
to patched, still-CommonJS versions to avoid CVE-2022-33987.

.gemini/styleguide.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
# Codacy Cloud CLI — review style guide
2+
3+
Project-specific conventions for reviewing this repository (a TypeScript +
4+
Commander.js CLI). Please weigh these before flagging style or correctness
5+
concerns.
6+
7+
## Testing
8+
- Tests mutate `process.env` directly: assign the variable in the test and
9+
`delete` it in `beforeEach`/`afterEach` for isolation. This is the repo-wide
10+
convention (see `src/utils/auth.test.ts` and ~10 other test files). Do **not**
11+
suggest `vi.stubEnv` / `vi.unstubAllEnvs` — the codebase deliberately does not
12+
use them, and consistency across the suite is preferred.
13+
- API service calls are mocked with `vi.mock(...)`; tests are co-located as
14+
`<module>.test.ts` next to the source.
15+
16+
## Output streams
17+
- The command's data payload goes to **stdout**; all human-readable diagnostics
18+
(spinners via `ora`, the "update available" notice) go to **stderr**.
19+
`--output json` must keep stdout byte-clean.
20+
- The update-available notice uses `update-notifier`, which prints to stderr and
21+
self-suppresses for non-TTY / CI / `--output json`. Don't flag it as stdout or
22+
JSON-output pollution.
23+
24+
## Dependencies
25+
- Runtime dependencies, devDependencies, and `overrides` are all pinned to exact
26+
versions (no `^`/`~`) for reproducibility and to avoid dependency-confusion
27+
risk. Flagging an unpinned range is correct; suggesting a range is not.
28+
29+
## Generated files
30+
- `package-lock.json` and everything under `src/api/client/**` are generated.
31+
Complexity, duplication, and size findings on these are false positives.

SPECS/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,3 +70,4 @@ _No pending tasks._ All commands implemented.
7070
| 2026-06-02 | Pattern config-file & coding-standard awareness: new `pattern <tool> <id>` **info mode** (same card as `patterns`); `pattern`/`patterns` skip listing and refuse updates when a tool uses a local config file; `pattern` refuses to modify coding-standard-enforced patterns; `issues --overview` noise suggestions now render a manual "update your config file / coding standard" step instead of a command when a pattern can't be disabled via CLI. `printPatternCard`/`PATTERN_JSON_FIELDS` moved to `utils/formatting.ts` (11 new tests, 371 total) |
7171
| 2026-06-18 | `repo --output json` now includes `repository.fileCount`, plucked from `coverage.numberTotalFiles` on the existing `getRepositoryWithAnalysis` response (present even without coverage data — no extra API call). Unlocks repo-size visibility for downstream consumers like the `configure-codacy-cloud` skill (1 new test, 373 total) |
7272
| 2026-06-24 | `findings` and `finding` now surface the vulnerable dependency's import chain from the new `dependencyChains` field: Direct (`Update <pkg> to <fixed>`) vs Transitive (`<chain> (Fixed in <fixed>)`), with the middle collapsed to `... N more ...` for 4+ packages. List shows the first chain + `... and X more`; detail shows all chains aligned under a single label. New helpers in `utils/formatting.ts` (`formatDependencyChain`, `formatDependencyChainsLine`, `formatDependencyChainsBlock`); `dependencyChains` added to both JSON projections (17 new tests, 390 total) |
73+
| 2026-06-30 | npm-style "update available" notice via `update-notifier@5`: one-time stderr hint when a newer version is published, gated to `--output table` (suppressed for `json`, when piped, in CI, under `npx`). Non-blocking daily background check; never auto-updates. New `src/version.ts` (single source of name/version) + `src/utils/update-check.ts` (`maybeNotifyUpdate`); `preAction` hook + `--no-update-notifier` flag wired in `index.ts`. Opt-outs: `CODACY_DISABLE_UPDATE_CHECK`, `NO_UPDATE_NOTIFIER`, `--no-update-notifier`. `package.json` `overrides` pin transitive `got@^11.8.6`/`package-json@^7` (CVE-2022-33987) (7 new tests, 409 total) |

0 commit comments

Comments
 (0)