Skip to content

feat: add NODE_NPM_INSTALL_FLAGS config key for scoped npm flags#6

Merged
amanthanvi merged 6 commits into
mainfrom
feat/node-npm-install-flags
Jun 28, 2026
Merged

feat: add NODE_NPM_INSTALL_FLAGS config key for scoped npm flags#6
amanthanvi merged 6 commits into
mainfrom
feat/node-npm-install-flags

Conversation

@amanthanvi

@amanthanvi amanthanvi commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Summary

  • Adds a new ~/.updatesrc config key NODE_NPM_INSTALL_FLAGS that passes extra flags to npm install -g in the node module, inserted before the -- separator.
  • Solves ERESOLVE peer-dependency conflicts (e.g. @tarquinen/opencode-dcp vs @opencode-ai/plugin @opentui/core version mismatch) without requiring a global ~/.npmrc override.
  • Default is empty string = no behavior change (fully backward-compatible, opt-in).
  • Implemented in both the Bash (updates) and native Windows PowerShell (updates-main.ps1) runtimes.

Changes

  • updates (Bash): new NODE_NPM_INSTALL_FLAGS global, config parser case, word-split into run_npm_global_install() args (including ERESOLVE retry path), and dry-run output.
  • updates-main.ps1 (PowerShell): new $script:NodeNpmInstallFlags variable, config parser case, whitespace-split into Invoke-NpmGlobalInstall args (including ERESOLVE retry path), and dry-run output in Invoke-ModuleNode.
  • SPEC.md: added to the config key table.
  • README.md: added to the config example and documented the key.
  • CHANGELOG.md: added under [Unreleased].

Test plan

  • New Bash test: with NODE_NPM_INSTALL_FLAGS=--legacy-peer-deps in config, --dry-run --only node output includes the flag
  • New Bash test: without the key set, dry-run output omits extra flags (backward compat)
  • New Windows PowerShell test: same dry-run assertion via Invoke-Bootstrap with stub environment
  • All three tests pass locally (Bash on Git Bash, PowerShell via pwsh)
  • Full Bash test suite has a pre-existing python3 not-found failure unrelated to this PR

Summary by Sourcery

Add a configurable NODE_NPM_INSTALL_FLAGS option to scope extra npm install flags for the node module while keeping default behavior unchanged, with cross-platform support and tests.

New Features:

  • Introduce NODE_NPM_INSTALL_FLAGS config key to pass extra whitespace-separated flags to the node module's npm install -g invocation on Bash and native Windows PowerShell.

Enhancements:

  • Ensure npm ERESOLVE and allow-scripts retry paths preserve configured npm flags and dedupe --legacy-peer-deps on retry.
  • Make Windows native tests more robust by forcing non-CI self-update paths and using explicit findstr.exe with CRLF-tolerant assertions.
  • Document NODE_NPM_INSTALL_FLAGS behavior and semantics in SPEC, README, PLAN, and CHANGELOG.

Tests:

  • Add Bash and Windows native tests covering NODE_NPM_INSTALL_FLAGS usage in dry-run output and npm retry behavior, including deduplication and glob literal handling.

Summary by CodeRabbit

  • New Features

    • Added NODE_NPM_INSTALL_FLAGS to ~/.updatesrc to forward extra, whitespace-separated flags (e.g., --legacy-peer-deps) to npm install -g for the node module.
  • Documentation

    • Updated CHANGELOG, README, and SPEC with usage, defaults, and how flags appear in dry-run and retry scenarios.
  • Bug Fixes

    • Improved ERESOLVE retry handling to preserve configured npm flags, deduplicate --legacy-peer-deps, and avoid duplicating it.
  • Tests

    • Added Bash and Windows-native coverage for dry-run output and retry deduplication/order (including literal flag patterns).

Add a new ~/.updatesrc key NODE_NPM_INSTALL_FLAGS that inserts extra
flags into the node module's `npm install -g` invocation. This lets
users scope flags like --legacy-peer-deps to the updates tool instead
of setting them globally in ~/.npmrc. Default is empty (no behavior
change). Implemented in both the Bash and native Windows PowerShell
runtimes with corresponding dry-run output and tests.
Copilot AI review requested due to automatic review settings June 20, 2026 03:26
@sourcery-ai

sourcery-ai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Reviewer's Guide

Adds a NODE_NPM_INSTALL_FLAGS configuration key to scope extra npm install flags for the node module, wires it through Bash and PowerShell implementations including dry-run and retry paths, hardens Windows test fixtures, and updates docs and tests accordingly.

Sequence diagram for NODE_NPM_INSTALL_FLAGS in npm global install with ERESOLVE retry

sequenceDiagram
    actor User
    participant InvokeModuleNode
    participant InvokeNpmGlobalInstall
    participant GetNpmInstallExtraFlags
    participant GetNpmInstallRetryOptions
    participant InvokeLoggedProcess
    participant CompleteNpmGlobalInstallSuccess
    participant npm

    User->>InvokeModuleNode: invoke node module
    InvokeModuleNode->>InvokeNpmGlobalInstall: Invoke-NpmGlobalInstall

    InvokeNpmGlobalInstall->>GetNpmInstallExtraFlags: Get-NpmInstallExtraFlags
    GetNpmInstallExtraFlags-->>InvokeNpmGlobalInstall: extraFlags

    InvokeNpmGlobalInstall->>InvokeLoggedProcess: Invoke-LoggedProcess (npm install -g extraFlags -- packages)
    InvokeLoggedProcess->>npm: run
    npm-->>InvokeLoggedProcess: ExitCode, Output
    InvokeLoggedProcess-->>InvokeNpmGlobalInstall: installResult

    alt [installResult.ExitCode -eq 0]
        InvokeNpmGlobalInstall->>CompleteNpmGlobalInstallSuccess: Complete-NpmGlobalInstallSuccess(Npm, Options extraFlags, Packages, Result)
        CompleteNpmGlobalInstallSuccess-->>InvokeNpmGlobalInstall: status 0
        InvokeNpmGlobalInstall-->>InvokeModuleNode: 0
    else [installResult.Output -match ERESOLVE]
        InvokeNpmGlobalInstall->>GetNpmInstallRetryOptions: Get-NpmInstallRetryOptions(Options extraFlags)
        GetNpmInstallRetryOptions-->>InvokeNpmGlobalInstall: retryOptions (dedup --legacy-peer-deps)

        InvokeNpmGlobalInstall->>InvokeLoggedProcess: Invoke-LoggedProcess (npm install -g retryOptions -- packages)
        InvokeLoggedProcess->>npm: run
        npm-->>InvokeLoggedProcess: retryResult
        InvokeLoggedProcess-->>InvokeNpmGlobalInstall: retryResult

        alt [retryResult.ExitCode -eq 0]
            InvokeNpmGlobalInstall->>CompleteNpmGlobalInstallSuccess: Complete-NpmGlobalInstallSuccess(Npm, Options retryOptions, Packages, Result)
            CompleteNpmGlobalInstallSuccess-->>InvokeNpmGlobalInstall: status 0
            InvokeNpmGlobalInstall-->>InvokeModuleNode: 0
        else [retryResult.ExitCode -ne 0]
            InvokeNpmGlobalInstall-->>InvokeModuleNode: retryResult.ExitCode
        end
    else [no ERESOLVE]
        InvokeNpmGlobalInstall-->>InvokeModuleNode: installResult.ExitCode
    end
Loading

File-Level Changes

Change Details Files
Introduce NODE_NPM_INSTALL_FLAGS config and thread it through Bash and PowerShell node npm install flows, including dry-run output and ERESOLVE retries.
  • Add NODE_NPM_INSTALL_FLAGS variable/global and config parsing in both runtimes
  • Split NODE_NPM_INSTALL_FLAGS into whitespace-separated arguments and inject before the npm -- package separator
  • Ensure dry-run output reflects configured extra flags when set and omits them when unset
updates
updates-main.ps1
Refine npm ERESOLVE and allow-scripts retry behavior to retain configured flags while deduping legacy-peer-deps and preserving literal patterns.
  • Introduce helpers to compute extra npm flags and retry options with legacy-peer-deps deduplication on Windows
  • Update Bash node retry logic to keep configured flags, append legacy-peer-deps once, and avoid glob expansion of literal flag patterns
  • Adjust tests to assert the exact command lines for initial and retry installs and verify legacy-peer-deps appears exactly once
updates
updates-main.ps1
tests/test_cli.sh
tests/test_windows_native.ps1
Improve Windows native test reliability and expectations around npm command parsing and CRLF handling.
  • Clear CI environment variable to force non-CI self-update path for Windows fixture tests
  • Use explicit SystemRoot\System32\findstr.exe in cmd stubs for deterministic matching
  • Relax regex expectations to allow optional carriage returns in captured npm output markers
tests/test_windows_native.ps1
Document the new NODE_NPM_INSTALL_FLAGS option and its behavior in config specification, README, changelog, and internal plan.
  • Add NODE_NPM_INSTALL_FLAGS to SPEC.md config key table and node module behavior description
  • Update README example config and narrative to explain usage and defaults
  • Record the new config key under Unreleased in CHANGELOG and add an execution plan section in PLAN.md
SPEC.md
README.md
CHANGELOG.md
PLAN.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new NODE_NPM_INSTALL_FLAGS configuration key to ~/.updatesrc. Both the Bash and PowerShell scripts parse it, pass it into npm install -g, preserve it across retry paths, and reflect it in dry-run output. Documentation and tests were updated for the new behavior.

Changes

NODE_NPM_INSTALL_FLAGS feature

Layer / File(s) Summary
Variable declaration and config parsing
updates, updates-main.ps1
NODE_NPM_INSTALL_FLAGS is declared with an empty default in both scripts, and each config parser is extended to read and store the value from ~/.updatesrc.
npm install invocation and retry handling
updates, updates-main.ps1
Parsed extra flags are threaded into live npm install -g calls, dry-run logging, and the ERESOLVE retry path in both scripts, including deduping --legacy-peer-deps when rebuilding retry arguments.
Documentation updates
CHANGELOG.md, PLAN.md, README.md, SPEC.md
The new key and its node module behavior are documented in the changelog, plan, README example, and SPEC contract.
CLI and Windows coverage
tests/test_cli.sh, tests/test_windows_native.ps1
Tests cover dry-run output, unset behavior, retry preservation, retry deduplication, and Windows command matching/line-ending handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • amanthanvi/updates#4: Shares the same npm install -g ERESOLVE retry path that this PR extends with user-configured flags.
  • amanthanvi/updates#5: Touches the same npm retry and argument-construction flow, including the --allow-scripts retry behavior referenced alongside this change.

Poem

🐇 I sniffed a flag in .updatesrc tonight,
It hopped into npm and made the install just right.
Bash and PowerShell now skip the old detour,
And retry paths keep their flags, then add one more.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely states the main change: adding a scoped NODE_NPM_INSTALL_FLAGS config key.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description is mostly complete and clearly explains the change, implementation, and tests, even though the checklist is presented as a test plan.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/node-npm-install-flags

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • When handling the ERESOLVE retry in Invoke-NpmGlobalInstall, you always append --legacy-peer-deps in addition to any user-supplied NodeNpmInstallFlags, which can lead to duplicate flags if the user also specifies --legacy-peer-deps; consider checking for that flag first or normalizing the combined flag list.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- When handling the ERESOLVE retry in `Invoke-NpmGlobalInstall`, you always append `--legacy-peer-deps` in addition to any user-supplied `NodeNpmInstallFlags`, which can lead to duplicate flags if the user also specifies `--legacy-peer-deps`; consider checking for that flag first or normalizing the combined flag list.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an opt-in ~/.updatesrc configuration key (NODE_NPM_INSTALL_FLAGS) to pass additional flags to the node module’s npm install -g invocation, implemented in both the Bash (updates) and native Windows PowerShell (updates-main.ps1) runtimes, and documented/tested accordingly.

Changes:

  • Add NODE_NPM_INSTALL_FLAGS config parsing and injection into npm install -g argument construction (Bash + PowerShell).
  • Update dry-run output to display the effective npm install -g command including the configured flags.
  • Document the new key in SPEC.md, README.md, and CHANGELOG.md, and add regression tests for Bash and Windows-native runtimes.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
updates-main.ps1 Adds $script:NodeNpmInstallFlags, parses config, and injects split flags into npm global install + dry-run output.
updates Adds NODE_NPM_INSTALL_FLAGS, parses config, and word-splits flags into npm global install + dry-run output.
tests/test_windows_native.ps1 Adds a Windows-native test asserting node dry-run output includes configured npm flags.
tests/test_cli.sh Adds Bash tests asserting node dry-run output includes/omits flags depending on config.
SPEC.md Documents the new NODE_NPM_INSTALL_FLAGS config key in the config table.
README.md Adds example usage and a short explanation of when to use NODE_NPM_INSTALL_FLAGS.
CHANGELOG.md Notes the new config key under [Unreleased].

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread updates Outdated
Comment thread updates-main.ps1 Outdated
@greptile-apps

greptile-apps Bot commented Jun 20, 2026

Copy link
Copy Markdown

Greptile Summary

Adds NODE_NPM_INSTALL_FLAGS as an opt-in ~/.updatesrc config key that forwards extra, whitespace-separated flags to npm install -g in the node module on both Bash and native Windows PowerShell, with no behavior change when the key is absent.

  • The Bash implementation disables glob expansion via set -f before word-splitting the config value, correctly passes flags to all npm invocation paths (normal, ERESOLVE retry, allow-scripts retry), and deduplicates --legacy-peer-deps on the ERESOLVE retry so it appears exactly once.
  • The PowerShell implementation mirrors this with Get-NpmInstallExtraFlags and Get-NpmInstallRetryOptions helpers; existing findstr calls are also hardened to full %SystemRoot%\System32\findstr.exe paths.
  • Counter variables (only_modules_count, failures_count, etc.) are introduced alongside existing arrays to guard against set -u (nounset) edge cases in Bash 3.2.

Confidence Score: 5/5

Safe to merge — the default is empty string so existing behaviour is unchanged, all three npm invocation paths (normal, ERESOLVE retry, allow-scripts retry) correctly thread the new flags, and glob injection is guarded with noglob.

Both runtimes handle the new config key correctly end-to-end: the Bash word-split is noglob-protected, the ERESOLVE deduplication loop is correct, and the PowerShell helpers mirror the same logic cleanly. The only gap is a cosmetic one — the dry-run log in module_node interpolates the raw config string rather than the normalised word-split form, so extra internal whitespace would display differently from what npm actually receives.

No files require special attention; the core logic is in updates and updates-main.ps1, both of which are well-covered by the new test cases.

Important Files Changed

Filename Overview
updates Adds NODE_NPM_INSTALL_FLAGS parsing and noglob-protected word-split into run_npm_global_install; introduces counter variables alongside arrays for nounset/Bash-3.2 compatibility; ERESOLVE retry correctly deduplicates --legacy-peer-deps; json_emit_summary refactored to avoid local array under nounset. One cosmetic gap: dry-run log shows raw config string rather than normalised flags.
updates-main.ps1 Adds Get-NpmInstallExtraFlags and Get-NpmInstallRetryOptions helpers; NodeNpmInstallFlags wired into Invoke-NpmGlobalInstall and Invoke-ModuleNode; --legacy-peer-deps deduplication on ERESOLVE retry is correct; findstr calls hardened to full path.
tests/test_cli.sh Adds dry-run with/without NODE_NPM_INSTALL_FLAGS tests, nounset compatibility test, and a glob-literal test that creates a file matching --flag=* to confirm glob protection; deduplication assertion on the ERESOLVE retry path.
tests/test_windows_native.ps1 Removes CI env var before self-update fixture tests; adds NODE_NPM_INSTALL_FLAGS dry-run and retry-deduplication test cases; existing findstr calls updated to full %SystemRoot%\System32\findstr.exe path; regex patterns updated for optional \r? to handle CRLF line endings.
SPEC.md NODE_NPM_INSTALL_FLAGS added to config table with correct type, default, and example; node module spec updated to document flag insertion, whitespace-split, ERESOLVE dedup, and allow-scripts flag retention.
README.md NODE_NPM_INSTALL_FLAGS added to the .updatesrc example block and documented in prose; wording is clear and accurate.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[run_npm_global_install called] --> B{NODE_NPM_INSTALL_FLAGS set?}
    B -- No --> C[npm_install_options = --]
    B -- Yes --> D[set -f, word-split flags, set +f]
    D --> E[npm_extra_flags = parsed flags
npm_install_options = flags --]
    C --> F[set -- packages restore]
    E --> F
    F --> G{DRY_RUN?}
    G -- Yes --> H[returns 0 via run wrapper]
    G -- No --> I[mktemp npm_err_log]
    I --> J[run_npm_global_install_logged
npm install -g options packages]
    J --> K{exit 0?}
    K -- Yes --> L[handle_npm_global_install_success
allow-scripts retry if needed]
    K -- No --> M{ERESOLVE in err log?}
    M -- No --> N[cat err, return status]
    M -- Yes --> O[Build retry_flags:
remove --legacy-peer-deps
append --legacy-peer-deps once]
    O --> P[run_npm_global_install_logged retry]
    P --> Q{exit 0?}
    Q -- Yes --> R[handle_npm_global_install_success
with retry_flags]
    Q -- No --> S[cat err, return status]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[run_npm_global_install called] --> B{NODE_NPM_INSTALL_FLAGS set?}
    B -- No --> C[npm_install_options = --]
    B -- Yes --> D[set -f, word-split flags, set +f]
    D --> E[npm_extra_flags = parsed flags
npm_install_options = flags --]
    C --> F[set -- packages restore]
    E --> F
    F --> G{DRY_RUN?}
    G -- Yes --> H[returns 0 via run wrapper]
    G -- No --> I[mktemp npm_err_log]
    I --> J[run_npm_global_install_logged
npm install -g options packages]
    J --> K{exit 0?}
    K -- Yes --> L[handle_npm_global_install_success
allow-scripts retry if needed]
    K -- No --> M{ERESOLVE in err log?}
    M -- No --> N[cat err, return status]
    M -- Yes --> O[Build retry_flags:
remove --legacy-peer-deps
append --legacy-peer-deps once]
    O --> P[run_npm_global_install_logged retry]
    P --> Q{exit 0?}
    Q -- Yes --> R[handle_npm_global_install_success
with retry_flags]
    Q -- No --> S[cat err, return status]
Loading

Reviews (2): Last reviewed commit: "fix: guard empty arrays under nounset" | Re-trigger Greptile

Comment thread updates Outdated
Comment thread updates Outdated
Comment thread updates-main.ps1 Outdated
@amanthanvi

amanthanvi commented Jun 21, 2026

Copy link
Copy Markdown
Owner Author

Implemented the three Greptile findings from the fresh review pass.

Changed:

  • Bash NODE_NPM_INSTALL_FLAGS word-splitting now disables glob expansion while building the extra flag array.
  • Bash and PowerShell ERESOLVE retry paths now remove any user-provided --legacy-peer-deps before adding the forced retry flag once.
  • Retry ordering now leaves configured flags first and puts the forced --legacy-peer-deps last, so it also matches the fresh Copilot retry-order comments.
  • Added Bash and Windows-native regression coverage for literal glob flags and duplicate legacy-peer-deps retry handling.

Validation:

  • ./tests/test_cli.sh
  • bash -n updates tests/test_cli.sh && shellcheck -x updates tests/test_cli.sh && shfmt -d updates tests/test_cli.sh
  • PowerShell parser check for updates-main.ps1 and tests/test_windows_native.ps1

Residual risk:

  • Windows-native runtime test was not executed on this macOS host; only parser validation ran locally.
  • GitHub still reports mergeStateStatus: DIRTY after this push, so the PR may still need base-branch conflict cleanup before merge.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@updates`:
- Around line 707-711: The `npm_extra_flags` array expansions in the npm install
flow are not fully guarded for `set -u`, which can make an empty array behave as
unbound in Bash 3.2. Update the call sites around
`run_npm_global_install_logged` and `handle_npm_global_install_success`, and any
related loop using `npm_extra_flags`, to use the `${npm_extra_flags[@]+...}`
pattern so the default `NODE_NPM_INSTALL_FLAGS` path cannot abort before `npm
install`.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e1cef587-19b7-4e05-b75e-407fb3caa053

📥 Commits

Reviewing files that changed from the base of the PR and between 82a70cb and 5e8f5c3.

📒 Files selected for processing (8)
  • CHANGELOG.md
  • PLAN.md
  • README.md
  • SPEC.md
  • tests/test_cli.sh
  • tests/test_windows_native.ps1
  • updates
  • updates-main.ps1
📜 Review details
⏰ Context from checks skipped due to timeout. (3)
  • GitHub Check: semgrep-cloud-platform/scan
  • GitHub Check: windows-powershell-smoke
  • GitHub Check: windows-powershell-smoke
🧰 Additional context used
📓 Path-based instructions (6)
**/CHANGELOG.md

📄 CodeRabbit inference engine (AGENTS.md)

Add a CHANGELOG.md entry for each release

Files:

  • CHANGELOG.md
**/PLAN.md

📄 CodeRabbit inference engine (AGENTS.md)

Maintain PLAN.md as living execution checklist; keep it updated as work lands

Files:

  • PLAN.md
**/SPEC.md

📄 CodeRabbit inference engine (AGENTS.md)

Maintain SPEC.md as living contract for flags/output/modules

Files:

  • SPEC.md
**/updates

📄 CodeRabbit inference engine (AGENTS.md)

**/updates: Don't print success messages for failed commands in the updates script
Add new functionality as a module function (module_<name>()) and register it in is_module_known(), module_description(), list_modules(), and run_selected_modules()
Modules must be auto-detected and skip gracefully if the backing command is missing, unless --only is used (then missing deps are an error)
For --json contract: stdout must be JSONL-only; route human output to stderr
Keep UPDATES_VERSION in updates aligned with the latest release tag
Use config_set_bool for adding boolean config keys in the updates script

Files:

  • updates
**/*.sh

📄 CodeRabbit inference engine (AGENTS.md)

**/*.sh: Validate scripts using ./scripts/lint.sh which runs bash -n, shellcheck, and shfmt -d
Assume Bash 3.2 compatibility (macOS system Bash); avoid Bash 4+ features
Prefer --dry-run support for anything that might mutate state
Start every logical section with a triple-hash banner: ### SECTION: <name> — <description>

Files:

  • tests/test_cli.sh
**/tests/**/*.sh

📄 CodeRabbit inference engine (AGENTS.md)

**/tests/**/*.sh: Run tests via ./scripts/test.sh which executes ./tests/test_cli.sh
Keep output stable and easy to parse; prefer --no-emoji in tests

Files:

  • tests/test_cli.sh
🪛 ast-grep (0.44.0)
tests/test_cli.sh

[warning] 983-983: set +e (or set +o errexit) disables the shell's errexit option, so the script keeps running after a command fails. This masks failures of security-critical operations (downloads, signature/checksum verification, permission changes, cleanup of secrets), letting the script proceed with a bad or insecure state. Leave errexit enabled (set -e / set -euo pipefail), or handle failures explicitly with if/|| and an explicit exit instead of globally turning off failure detection.
Context: set +e
Note: [CWE-754] Improper Check for Unusual or Exceptional Conditions.

(set-plus-e-error-masking-bash)

🪛 PSScriptAnalyzer (1.25.0)
updates-main.ps1

[warning] 761-761: Function 'New-NpmInstallArguments' has verb that could change system state. Therefore, the function has to support 'ShouldProcess'.

(PSUseShouldProcessForStateChangingFunctions)


[warning] 761-761: The cmdlet 'New-NpmInstallArguments' uses a plural noun. A singular noun should be used instead.

Suggested fix: Singularized correction of 'New-NpmInstallArguments'

(PSUseSingularNouns)


[warning] 772-772: The cmdlet 'Get-NpmInstallExtraFlags' uses a plural noun. A singular noun should be used instead.

Suggested fix: Singularized correction of 'Get-NpmInstallExtraFlags'

(PSUseSingularNouns)


[warning] 780-780: The cmdlet 'Get-NpmInstallRetryOptions' uses a plural noun. A singular noun should be used instead.

Suggested fix: Singularized correction of 'Get-NpmInstallRetryOptions'

(PSUseSingularNouns)

🔇 Additional comments (13)
CHANGELOG.md (1)

10-13: LGTM!

PLAN.md (1)

1-15: LGTM!

README.md (1)

122-128: LGTM!

SPEC.md (2)

266-266: LGTM!


466-468: 🎯 Functional Correctness

Allow-scripts retry already preserves NODE_NPM_INSTALL_FLAGS in both Bash and PowerShell.

tests/test_cli.sh (1)

16-16: LGTM!

Also applies to: 27-28, 945-948, 962-996, 1040-1128

tests/test_windows_native.ps1 (1)

17-18: LGTM!

Also applies to: 436-466, 481-483, 505-559, 560-640, 931-989, 1002-1053, 1100-1152, 1195-1195, 1280-1298, 1338-1386, 1421-1469

updates (3)

680-693: LGTM!


725-739: LGTM!


749-806: LGTM!

updates-main.ps1 (3)

761-787: LGTM!


840-869: LGTM!


950-951: LGTM!

Comment thread updates Outdated
@amanthanvi

Copy link
Copy Markdown
Owner Author

@greptile review
@coderabbitai review
@sourcery-ai review

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

@amanthanvi: I’ll review the latest changes now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@amanthanvi

Copy link
Copy Markdown
Owner Author

Codex review

Found 0 blocking issues in the current diff.

Checked the npm flag plumbing across Bash and PowerShell, ERESOLVE retry ordering/deduplication, allow-scripts retry preservation, Bash 3.2 nounset handling, docs/spec/changelog coverage, and the new Bash/Windows regression tests.

Validation already green locally and in GitHub checks.

@amanthanvi

Copy link
Copy Markdown
Owner Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@amanthanvi amanthanvi merged commit edebab4 into main Jun 28, 2026
10 checks passed
@amanthanvi amanthanvi deleted the feat/node-npm-install-flags branch June 28, 2026 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants