fix(cli): make uipro update actually upgrade the CLI via npm#326
Closed
alfredo-petri wants to merge 1 commit into
Closed
fix(cli): make uipro update actually upgrade the CLI via npm#326alfredo-petri wants to merge 1 commit into
alfredo-petri wants to merge 1 commit into
Conversation
Previously, updateCommand() fetched the latest GitHub release tag for
display, then called initCommand({force: true}) which reinstalled the
skill from the locally bundled assets — the same version already
installed. The CLI itself was never updated.
New behavior: run npm install -g uipro-cli@latest so the user gets both
a new CLI binary and fresh bundled assets. The --ai option is removed
from update (it was passed to initCommand which no longer drives update);
users reinstall the skill separately with: uipro init --ai <type> --force
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mrgoonie
requested changes
Jun 21, 2026
mrgoonie
left a comment
Contributor
There was a problem hiding this comment.
Summary: This PR fixes the right stale-update symptom, but the update command now shells out to a globally resolved npm binary from inside the installed CLI. That is not safe enough for a CLI maintainer path.
Risk level: Medium
Mandatory gates:
- Duplicate/prior implementation: clear — no merged PR already fixes
uipro update; related release/package issues remain open. - Project standards: issue found — CLI command execution should avoid shell string expansion when arguments are static.
- Strategic necessity: clear value — users expect
uipro updateto update the actual CLI package, not reinstall bundled assets from the old binary. - CI/checks: locally blocked —
npm --prefix cli run buildrequiresbun, which is not available in this cron environment.
Findings:
- Important:
cli/src/commands/update.tsusesexecSync('npm install -g uipro-cli@latest', { stdio: 'inherit' }). Even though the current command string is static, this routes through a shell and executes whichevernpmis first on PATH from a CLI command that users may run in arbitrary projects. Please switch toexecFileSync/spawnSyncwith explicit args (npm,["install", "-g", "uipro-cli@latest"]) and keep the error handling, so the updater does not add an unnecessary shell-execution surface. - Suggestion: update the README/CLI README command description to make it clear that
uipro updateupdates the global CLI and users should rerunuipro init --ai <type> --forceafter it.
Verdict: REQUEST_CHANGES
This was referenced Jun 25, 2026
mrgoonie
pushed a commit
that referenced
this pull request
Jun 25, 2026
Approved by github-maintain cron-safe review. Supersedes #326.
Contributor
Contributor
|
Cron maintainer follow-up: closing this as superseded by merged PR #389, which implements the same |
Contributor
|
Closed by maintainer automation: superseded by merged #389. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
updateCommand(cli/src/commands/update.ts:25) calledinitCommand({force: true})after showing the latest GitHub release tag. SinceinitCommanduses locally bundled assets by default, the actual CLI binary was never updated — only the skill files were reinstalled from the version already on disk.A user running
uipro updateexpecting a version bump received the same files they already had.Fix
Replace the body of
updateCommandwith a call tonpm install -g uipro-cli@latestviaexecSync. This correctly upgrades both the CLI binary and its bundled assets.uipro init --ai <type> --forceto reinstall the skill--aioption fromupdate(was forwarded to initCommand which no longer drives update)Before / After
🤖 Generated with Claude Code