Skip to content

fix(cli): make uipro update actually upgrade the CLI via npm#326

Closed
alfredo-petri wants to merge 1 commit into
nextlevelbuilder:mainfrom
alfredo-petri:fix/update-command
Closed

fix(cli): make uipro update actually upgrade the CLI via npm#326
alfredo-petri wants to merge 1 commit into
nextlevelbuilder:mainfrom
alfredo-petri:fix/update-command

Conversation

@alfredo-petri

Copy link
Copy Markdown
Contributor

Problem

updateCommand (cli/src/commands/update.ts:25) called initCommand({force: true}) after showing the latest GitHub release tag. Since initCommand uses locally bundled assets by default, the actual CLI binary was never updated — only the skill files were reinstalled from the version already on disk.

A user running uipro update expecting a version bump received the same files they already had.

Fix

Replace the body of updateCommand with a call to npm install -g uipro-cli@latest via execSync. This correctly upgrades both the CLI binary and its bundled assets.

  • Still fetches latest release info to show the version (best-effort, non-blocking)
  • Clear error message if npm fails
  • Post-install guidance: uipro init --ai <type> --force to reinstall the skill
  • Remove --ai option from update (was forwarded to initCommand which no longer drives update)

Before / After

# Before: reinstalled same bundled assets, no CLI upgrade
uipro update

# After: runs npm install -g uipro-cli@latest
uipro update

🤖 Generated with Claude Code

Previously, updateCommand() fetched the latest GitHub release tag for
display, then called initCommand({force: true}) which reinstalled the
skill from the locally bundled assets — the same version already
installed. The CLI itself was never updated.

New behavior: run npm install -g uipro-cli@latest so the user gets both
a new CLI binary and fresh bundled assets. The --ai option is removed
from update (it was passed to initCommand which no longer drives update);
users reinstall the skill separately with: uipro init --ai <type> --force

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@mrgoonie mrgoonie left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary: This PR fixes the right stale-update symptom, but the update command now shells out to a globally resolved npm binary from inside the installed CLI. That is not safe enough for a CLI maintainer path.

Risk level: Medium

Mandatory gates:

  • Duplicate/prior implementation: clear — no merged PR already fixes uipro update; related release/package issues remain open.
  • Project standards: issue found — CLI command execution should avoid shell string expansion when arguments are static.
  • Strategic necessity: clear value — users expect uipro update to update the actual CLI package, not reinstall bundled assets from the old binary.
  • CI/checks: locally blocked — npm --prefix cli run build requires bun, which is not available in this cron environment.

Findings:

  • Important: cli/src/commands/update.ts uses execSync('npm install -g uipro-cli@latest', { stdio: 'inherit' }). Even though the current command string is static, this routes through a shell and executes whichever npm is first on PATH from a CLI command that users may run in arbitrary projects. Please switch to execFileSync / spawnSync with explicit args (npm, ["install", "-g", "uipro-cli@latest"]) and keep the error handling, so the updater does not add an unnecessary shell-execution surface.
  • Suggestion: update the README/CLI README command description to make it clear that uipro update updates the global CLI and users should rerun uipro init --ai <type> --force after it.

Verdict: REQUEST_CHANGES

@mrgoonie mrgoonie added agent:github-maintain Processed by github-maintain automation pr:reviewed PR reviewed by maintain workflow pr:changes-requested Maintain review requested changes labels Jun 21, 2026
mrgoonie pushed a commit that referenced this pull request Jun 25, 2026
Approved by github-maintain cron-safe review. Supersedes #326.
@ia-abatista

Copy link
Copy Markdown
Contributor

Recommend closing, @mrgoonie. Superseded by merged #389, which makes uipro update actually upgrade via npm using execFileSync (no shell).

@mrgoonie

Copy link
Copy Markdown
Contributor

Cron maintainer follow-up: closing this as superseded by merged PR #389, which implements the same uipro update behavior using execFileSync with explicit npm args and also updates the CLI README guidance. This resolves the previous shell-execution blocker on this PR and avoids keeping two competing update-command implementations open.

@mrgoonie

Copy link
Copy Markdown
Contributor

Closed by maintainer automation: superseded by merged #389.

@mrgoonie mrgoonie closed this Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

agent:github-maintain Processed by github-maintain automation pr:changes-requested Maintain review requested changes pr:reviewed PR reviewed by maintain workflow

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants