Update Fleet-maintained apps#44358
Conversation
Generated automatically with cmd/maintained-apps.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
fleet-release
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
Script Diff Resultsee/maintained-apps/outputs/claude/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/discord/windows.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/google-chrome/windows.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/microsoft-excel/darwin.json=== Install // 6be6955e -> 4da2b48a ===
--- /tmp/old.UA7IU1 2026-04-29 02:03:24.235979300 +0000
+++ /tmp/new.p3SYOF 2026-04-29 02:03:24.235979300 +0000
@@ -117,6 +117,6 @@
EOF
-sudo installer -pkg "$TMPDIR"/Microsoft_Excel_16.108.26041915_Installer.pkg -target / -applyChoiceChangesXML "$CHOICE_XML"
+sudo installer -pkg "$TMPDIR"/Microsoft_Excel_16.108.26042616_Installer.pkg -target / -applyChoiceChangesXML "$CHOICE_XML"
relaunch_application 'com.microsoft.Excel'
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/microsoft-onenote/darwin.json=== Install // 46212383 -> 3cc941f6 ===
--- /tmp/old.xb4mlz 2026-04-29 02:03:24.292978518 +0000
+++ /tmp/new.DekEIf 2026-04-29 02:03:24.292978518 +0000
@@ -96,5 +96,5 @@
# install pkg files
quit_and_track_application 'com.microsoft.onenote.mac'
-sudo installer -pkg "$TMPDIR/Microsoft_OneNote_16.108.26041915_Updater.pkg" -target /
+sudo installer -pkg "$TMPDIR/Microsoft_OneNote_16.108.26042616_Updater.pkg" -target /
relaunch_application 'com.microsoft.onenote.mac'
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/microsoft-powerpoint/darwin.json=== Install // 6dfc37ad -> edc8824a ===
--- /tmp/old.zG0txT 2026-04-29 02:03:24.329978010 +0000
+++ /tmp/new.w1TzLZ 2026-04-29 02:03:24.329978010 +0000
@@ -117,6 +117,6 @@
EOF
-sudo installer -pkg "$TMPDIR"/Microsoft_PowerPoint_16.108.26041915_Installer.pkg -target / -applyChoiceChangesXML "$CHOICE_XML"
+sudo installer -pkg "$TMPDIR"/Microsoft_PowerPoint_16.108.26042616_Installer.pkg -target / -applyChoiceChangesXML "$CHOICE_XML"
relaunch_application 'com.microsoft.Powerpoint'
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/microsoft-word/darwin.json=== Install // 1daaf52c -> b113f24a ===
--- /tmp/old.dHw2vA 2026-04-29 02:03:24.366977502 +0000
+++ /tmp/new.ezjjED 2026-04-29 02:03:24.367977488 +0000
@@ -117,6 +117,6 @@
EOF
-sudo installer -pkg "$TMPDIR"/Microsoft_Word_16.108.26041915_Installer.pkg -target / -applyChoiceChangesXML "$CHOICE_XML"
+sudo installer -pkg "$TMPDIR"/Microsoft_Word_16.108.26042616_Installer.pkg -target / -applyChoiceChangesXML "$CHOICE_XML"
relaunch_application 'com.microsoft.Word'
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/wacom-tablet/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/whatsapp/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) === |
WalkthroughThis PR updates version metadata across nine maintained-app JSON manifests. It bumps package versions for Claude (Darwin: 1.4758.0 → 1.5220.0), Discord (Windows: 1.0.9234 → 1.0.9235), Google Chrome (Windows: 147.0.7727.117 → 147.0.7727.138), Microsoft Office applications on macOS (Excel, OneNote, PowerPoint, Word: 16.108.1 → 16.108), Wacom Tablet (Darwin: 6.4.12-3 → 6.4.13-4), and WhatsApp (Darwin: 26.16.17 → 26.17.19). For each application, the corresponding Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
ee/maintained-apps/outputs/wacom-tablet/darwin.json (1)
20-20:⚠️ Potential issue | 🟠 MajorUninstall script likely fails to remove wildcarded paths (glob expansion blocked by quoting).
In
uninstall_script_ref(23a5a46e), thetrash()function checks-eand runsmvusing"$target_file". Because callers pass patterns like~/Library/.../*.com.wacom.WacomTabletDriverand...com.wacom.*as quoted strings, the*does not expand—sotrash()will look for a literal filename containing*and silently do nothing.This is a correctness issue for uninstallation cleanup.
🛠️ Proposed fix (make `trash()` expand globs safely)
trash() { local logged_in_user="$1" local target_file="$2" local timestamp="$(date +%Y-%m-%d-%s)" local rand="$(jot -r 1 0 99999)" if [[ "$target_file" == ~* ]]; then target_file="/Users/$logged_in_user${target_file:1}" fi local trash="/Users/$logged_in_user/.Trash" local file_name="$(basename "${target_file}")" - if [[ -e "$target_file" ]]; then - echo "removing $target_file." - mv -f "$target_file" "$trash/${file_name}_${timestamp}_${rand}" - else - echo "$target_file doesn't exist." - fi + for candidate in $target_file; do + if [[ -e "$candidate" ]]; then + echo "removing $candidate." + mv -f "$candidate" "$trash/${file_name}_${timestamp}_${rand}" + fi + done }This keeps quoted logging/mv per candidate, but allows glob expansion before the loop.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@ee/maintained-apps/outputs/wacom-tablet/darwin.json` at line 20, The trash() function receives quoted glob patterns (called from lines like trash $LOGGED_IN_USER '~/Library/.../*.com.wacom.WacomTabletDriver') so the asterisks are not expanded and files are never removed; update trash() to explicitly expand globs into a list (e.g. use eval or array assignment to expand $target_file after the ~ replacement), then iterate over the expanded entries and perform the existence check, mv and logging for each expanded path instead of treating $target_file as a single literal filename; keep the existing ~ handling and timestamp/rand logic and apply the change only inside the trash() function.ee/maintained-apps/outputs/claude/darwin.json (1)
19-19:⚠️ Potential issue | 🟠 MajorUninstall script likely fails to remove wildcarded paths (glob expansion blocked by quoting).
In
uninstall_script_ref(4cfbec7d),trash()uses[[ -e "$target_file" ]]andmv -f "$target_file" ..., which prevents shell glob expansion. The script then callstrashwith wildcard patterns (e.g..../com.anthropic.claudefordesktop.sfl*) passed in single quotes, so*is not expanded insidetrash(). Net effect: cleanup entries with*probably don’t get removed.Same fix approach as proposed for Wacom applies here.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@ee/maintained-apps/outputs/claude/darwin.json` at line 19, The trash() function in uninstall_script_ref "4cfbec7d" treats its target argument as a literal string so glob patterns like com.anthropic.claudefordesktop.sfl* passed to trash() are not expanded; update trash() to perform glob expansion and handle multiple matches by: after replacing ~ (use LOGGED_IN_USER) assign the pattern to a local variable (e.g. target_pattern), enable safe globbing (or rely on default) and iterate over matches with a for loop (for target_file in $target_pattern) checking [[ -e "$target_file" ]] and moving each matched file to the per-user trash, so the calls to trash $LOGGED_IN_USER '...sfl*' will actually remove all matching files.
🧹 Nitpick comments (2)
ee/maintained-apps/outputs/whatsapp/darwin.json (1)
7-7: Patched SQL threshold update looks consistent—please confirm Fleet’s intended semantics for “patched” vs “exists”.
Line 7 updatesqueries.patchedto useversion_compare(bundle_short_version, '26.17.19') < 0, which aligns the “patched-older-than-threshold” check with the bumpedversionfield (line 4).One nuance to double-check: this
NOT EXISTS ( ... < 0)pattern will typically evaluate as “patched” even if WhatsApp is not installed (since the subquery would be empty). If Fleet only evaluatespatchedwhenexistsis true (common pattern), you’re fine; otherwise, you may need to gatepatchedon existence.If you want to make the semantics explicit (only “patched” when installed), consider rewriting
patchedto also require a matching row exists before applying the version threshold.To confirm the intended semantics, compare this query shape against a couple other app manifests in the same PR/repo that only update the version threshold.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@ee/maintained-apps/outputs/whatsapp/darwin.json` at line 7, The patched query currently uses queries.patched with NOT EXISTS (... version_compare(bundle_short_version, '26.17.19') < 0) which will be true for devices where the app is not installed; if Fleet intends “patched” only when installed, change queries.patched to also require the app exists (e.g., combine checks against queries.exists or include an EXISTS(...) for bundle_identifier before applying version_compare on bundle_short_version) so the patched flag only evaluates for installed apps and stays aligned with the bumped version field; verify consistency by matching this shape to other app manifests' queries.patched and queries.exists in the repo.ee/maintained-apps/outputs/microsoft-powerpoint/darwin.json (1)
10-20: Add manifest ref validation in ingestion/CI to prevent silent install-script loss.The mapping is correct in this file, but
server/mdm/maintainedapps/sync.goresolves refs via direct map lookup; a typo ininstall_script_refwould become an empty install script with no explicit error. Consider a validation step that asserts both script refs exist inrefsfor each manifest (optionally also checking hash-derived ref correctness).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@ee/maintained-apps/outputs/microsoft-powerpoint/darwin.json` around lines 10 - 20, The ingestion can silently drop scripts when a manifest's install_script_ref/uninstall_script_ref doesn't exist in the refs map; update server/mdm/maintainedapps/sync.go to validate manifest refs during ingest/CI by asserting that each manifest's "install_script_ref" and "uninstall_script_ref" keys resolve to an entry in the "refs" map (fail the ingest with a clear error on missing refs), and optionally add a secondary check that the resolved content matches any expected sha/hash (validate the "sha256" or compute a hash to detect mismatch). Ensure the validation runs before any manifest is accepted/applied and include clear error messages naming the manifest and missing ref key so CI/ingestion fails fast.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@ee/maintained-apps/outputs/claude/darwin.json`:
- Line 19: The trash() function in uninstall_script_ref "4cfbec7d" treats its
target argument as a literal string so glob patterns like
com.anthropic.claudefordesktop.sfl* passed to trash() are not expanded; update
trash() to perform glob expansion and handle multiple matches by: after
replacing ~ (use LOGGED_IN_USER) assign the pattern to a local variable (e.g.
target_pattern), enable safe globbing (or rely on default) and iterate over
matches with a for loop (for target_file in $target_pattern) checking [[ -e
"$target_file" ]] and moving each matched file to the per-user trash, so the
calls to trash $LOGGED_IN_USER '...sfl*' will actually remove all matching
files.
In `@ee/maintained-apps/outputs/wacom-tablet/darwin.json`:
- Line 20: The trash() function receives quoted glob patterns (called from lines
like trash $LOGGED_IN_USER '~/Library/.../*.com.wacom.WacomTabletDriver') so the
asterisks are not expanded and files are never removed; update trash() to
explicitly expand globs into a list (e.g. use eval or array assignment to expand
$target_file after the ~ replacement), then iterate over the expanded entries
and perform the existence check, mv and logging for each expanded path instead
of treating $target_file as a single literal filename; keep the existing ~
handling and timestamp/rand logic and apply the change only inside the trash()
function.
---
Nitpick comments:
In `@ee/maintained-apps/outputs/microsoft-powerpoint/darwin.json`:
- Around line 10-20: The ingestion can silently drop scripts when a manifest's
install_script_ref/uninstall_script_ref doesn't exist in the refs map; update
server/mdm/maintainedapps/sync.go to validate manifest refs during ingest/CI by
asserting that each manifest's "install_script_ref" and "uninstall_script_ref"
keys resolve to an entry in the "refs" map (fail the ingest with a clear error
on missing refs), and optionally add a secondary check that the resolved content
matches any expected sha/hash (validate the "sha256" or compute a hash to detect
mismatch). Ensure the validation runs before any manifest is accepted/applied
and include clear error messages naming the manifest and missing ref key so
CI/ingestion fails fast.
In `@ee/maintained-apps/outputs/whatsapp/darwin.json`:
- Line 7: The patched query currently uses queries.patched with NOT EXISTS (...
version_compare(bundle_short_version, '26.17.19') < 0) which will be true for
devices where the app is not installed; if Fleet intends “patched” only when
installed, change queries.patched to also require the app exists (e.g., combine
checks against queries.exists or include an EXISTS(...) for bundle_identifier
before applying version_compare on bundle_short_version) so the patched flag
only evaluates for installed apps and stays aligned with the bumped version
field; verify consistency by matching this shape to other app manifests'
queries.patched and queries.exists in the repo.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: fe3506f3-d611-46ea-a5ac-dacb09843db5
📒 Files selected for processing (9)
ee/maintained-apps/outputs/claude/darwin.jsonee/maintained-apps/outputs/discord/windows.jsonee/maintained-apps/outputs/google-chrome/windows.jsonee/maintained-apps/outputs/microsoft-excel/darwin.jsonee/maintained-apps/outputs/microsoft-onenote/darwin.jsonee/maintained-apps/outputs/microsoft-powerpoint/darwin.jsonee/maintained-apps/outputs/microsoft-word/darwin.jsonee/maintained-apps/outputs/wacom-tablet/darwin.jsonee/maintained-apps/outputs/whatsapp/darwin.json
|
Closing in favor of #44384. |
2 participants
Automated ingestion of latest Fleet-maintained app data.
Summary by CodeRabbit
Release Notes