fix: use pnpm instead of npm in updatePlugins.sh#7468
Merged
JohnMcLear merged 2 commits intodevelopfrom Apr 6, 2026
Merged
Conversation
The script used npm outdated which doesn't work with pnpm workspaces, and pnpm install which doesn't update existing packages. Changed to pnpm outdated and pnpm update respectively. Fixes #6670 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Review Summary by QodoFix plugin update detection in pnpm workspaces
WalkthroughsDescription• Replace npm outdated with pnpm outdated for workspace compatibility • Change pnpm install to pnpm update for proper package updates • Fixes plugin update detection in pnpm workspaces Diagramflowchart LR
A["updatePlugins.sh"] -->|"npm outdated"| B["❌ Fails in pnpm workspaces"]
A -->|"pnpm outdated"| C["✓ Detects outdated plugins"]
D["pnpm install"] -->|"doesn't update"| E["❌ Packages unchanged"]
F["pnpm update"] -->|"updates packages"| G["✓ Plugins updated"]
File Changes1. bin/updatePlugins.sh
|
Code Review by Qodo
1. updatePlugins.sh lacks regression test
|
![qodo-free-for-open-source-projects[bot]](https://avatars.githubusercontent.com/in/1068000?s=60&v=4){kind=small}
Comment on lines
+5
to
+11
| OUTDATED=$(pnpm outdated --depth=0 | awk '{print $1}' | grep '^ep_') || { | ||
| echo "All plugins are up-to-date" | ||
| exit 0 | ||
| } | ||
| set -- ${OUTDATED} | ||
| echo "Updating plugins: $*" | ||
| exec pnpm install "$@" | ||
| exec pnpm update "$@" |
There was a problem hiding this comment.
1. updateplugins.sh lacks regression test 📘 Rule violation ☼ Reliability
This PR changes the plugin update logic but does not add or update any regression test to ensure the bug fix remains verifiable. Without a test, a future change could revert the pnpm-based behavior and reintroduce the failure to detect/upgrade plugins.
Agent Prompt
## Issue description
The fix in `bin/updatePlugins.sh` has no regression test to ensure outdated plugins are detected and upgraded (and to fail if the script is reverted back to the broken behavior).
## Issue Context
Add a test that simulates `pnpm outdated` output and asserts the script:
- prints `All plugins are up-to-date` when nothing matches `^ep_`
- invokes `pnpm update` with the expected `ep_*` plugin names when updates are available
## Fix Focus Areas
- bin/updatePlugins.sh[5-11]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
- Use --filter ep_etherpad-lite so pnpm operates on the right workspace - Exclude ep_etherpad-lite from the plugin list - Handle pnpm outdated exit codes correctly (returns 1 when outdated) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
|
Hi @JohnMcLear, nice to see you back in there ! This PR doesn't seem to fix the bug. Running 2.7.2 i can see some plugins updates or available in admin panel : 
But running |
2 tasks
JohnMcLear
added a commit
that referenced
this pull request
May 2, 2026
…oses #6670) (#7644) * fix(plugins): updatePlugins.sh actually updates installed plugins (#6670) bin/updatePlugins.sh detected outdated plugins by running `pnpm --filter ep_etherpad-lite outdated --depth=0`, but installed plugins are not registered in src/package.json — bin/plugins.ts adds them via linkInstaller.installPlugin which writes to src/plugin_packages/.versions/<name>@<version>/ and tracks the result in var/installed_plugins.json. pnpm has no view of them, so `outdated` returns empty and the script always reported "All plugins are up-to-date" even when newer versions existed on the registry. PR #7468 fixed npm→pnpm and install→update but kept the same broken detection mechanism, which is why the issue stayed open after that PR landed. Read the plugin list from var/installed_plugins.json instead, then re-invoke linkInstaller.installPlugin(name) for each entry. Calling the installer without a version pin resolves the registry-latest and overwrites the existing pinned copy, so an outdated plugin is brought to head while plugins already at latest are no-ops apart from the pnpm cache hit. Add an `update`/`up` action to bin/plugins.ts so users can also run `pnpm run plugins update` directly, mirroring the existing install/remove/list actions. updatePlugins.sh becomes a one-line wrapper for backwards compatibility. Reproduction (verified): pnpm run install-plugins ep_markdown@11.0.5 # latest is 11.0.18 ./bin/updatePlugins.sh # → 11.0.18 Edge cases tested: no plugins installed, missing installed_plugins.json, already-at-latest re-run. Closes #6670. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(plugins): validate ep_ prefix and dedupe + add regression test Qodo flagged two issues on the original update() addition: 1. Security — update() trusted every name in var/installed_plugins.json, so a corrupted or hand-edited manifest could coerce the script into installing arbitrary npm packages. pluginfw/plugins.getPackages already gates on the ep_ prefix; mirror that gate here. 2. Reliability — no automated regression test, so a future refactor could silently bring back the broken behaviour. Extract the safe-name filter to filterUpdatablePluginNames in bin/commonPlugins.ts (pure, side-effect-free, prefix configurable, also de-duplicates repeats so a duplicated entry installs once). Use it from plugins.ts update(). Add src/tests/backend/specs/filterUpdatablePluginNames.ts covering: keep prefixed names, drop ep_etherpad-lite, reject non-prefixed entries, de-dupe repeats, tolerate missing/null/non-string name fields, empty input, custom prefix. Manually verified end-to-end on a live install: an installed_plugins.json containing ep_markdown@11.0.5, a duplicate ep_markdown, and a "malicious-package" entry runs `Updating plugins to latest from registry: ep_markdown` (only) and ep_markdown ends up at 11.0.18 — the bad entries are silently filtered out. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
updatePlugins.shusednpm outdatedwhich doesn't work with pnpm workspaces, so it never detected outdated pluginspnpm installinstead ofpnpm update, which doesn't update existing packagesTest plan
bin/updatePlugins.sh, verify it updatesFixes #6670
🤖 Generated with Claude Code