@dypai-ai/mcp 1.5.26 → 1.5.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dypai-ai/mcp",
-  "version": "1.5.26",
+  "version": "1.5.27",
   "description": "DYPAI MCP Server — AI agent toolkit for building and deploying full-stack apps",
   "type": "module",
   "main": "src/index.js",

package/src/auto-update.js

@@ -1,13 +1,11 @@
 /**
  * Self-update for @dypai-ai/mcp.
  *
- * On startup, checks the npm registry for a newer version. If found, performs
+ * On every startup, checks the npm registry for a newer version. If found, performs
  * the appropriate update (clear npx cache or `npm install -g`) and exits with
  * code 0 so the host (Cursor / Claude / Trae / VSCode) re-spawns the process
  * with the freshly installed version.
  *
- * Throttled to one check every 6h to avoid hammering the registry.
- *
  * Disable with:  DYPAI_NO_AUTOUPDATE=1
  */
 
@@ -21,13 +19,7 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 const PKG_PATH = join(__dirname, "..", "package.json");
 const PKG_NAME = "@dypai-ai/mcp";
 const REGISTRY_URL = `https://registry.npmjs.org/${PKG_NAME}/latest`;
-// Dist-tags endpoint is tiny (<200B) — used to check if there's a CRITICAL
-// release the user must upgrade to immediately, bypassing the 6h throttle.
-// To mark a version as critical after publish:
-//   npm dist-tag add @dypai-ai/mcp@1.4.5 critical
-const DIST_TAGS_URL = `https://registry.npmjs.org/-/package/${PKG_NAME}/dist-tags`;
 const CHECK_TIMEOUT_MS = 2000;
-const THROTTLE_HOURS = 6;
 const STATE_FILE = join(tmpdir(), "dypai-mcp-update-state.json");
 
 function log(msg) {
@@ -73,32 +65,6 @@ async function fetchLatestManifest() {
   }
 }
 
-/**
- * Fetch the `critical` dist-tag (if published). Used to bypass the 6h throttle
- * when a release is important enough that users must upgrade on next spawn.
- *
- * Returns the critical version string (e.g. "1.4.5") or null if no critical
- * tag is set, the registry is unreachable, or the response is malformed.
- *
- * Cost: one tiny JSON fetch (~200 bytes) per spawn. Adds ~50-150ms to startup
- * but runs in parallel with the rest of the MCP init, so wall-clock impact is
- * usually zero.
- */
-async function fetchCriticalVersion() {
-  const ctrl = new AbortController();
-  const timer = setTimeout(() => ctrl.abort(), CHECK_TIMEOUT_MS);
-  try {
-    const res = await fetch(DIST_TAGS_URL, { signal: ctrl.signal });
-    if (!res.ok) return null;
-    const tags = await res.json();
-    return typeof tags?.critical === "string" ? tags.critical : null;
-  } catch {
-    return null;
-  } finally {
-    clearTimeout(timer);
-  }
-}
-
 /**
  * After npm publish there's a 30s–2min window where the registry knows the
  * version but the tarball is not yet replicated across the CDN. If we clear
@@ -170,37 +136,21 @@ function installGlobalLatest() {
  * Main entry point — call once at startup.
  * Returns quickly. Exits the process if an update was applied.
  */
-export async function checkForUpdates({ force = false } = {}) {
+export async function checkForUpdates() {
   if (process.env.DYPAI_NO_AUTOUPDATE === "1") return { skipped: "disabled" };
 
   const current = getCurrentVersion();
   if (!current) return { skipped: "no current version" };
 
-  // ── Critical release check (bypasses the 6h throttle) ────────────────────
-  // If an ops person has run `npm dist-tag add @dypai-ai/mcp@X.Y.Z critical`,
-  // every spawn picks that up and forces an upgrade regardless of when the
-  // last normal check ran. Used for security / data-loss bug fixes where
-  // 6-24h propagation is too slow.
-  const criticalVersion = await fetchCriticalVersion();
-  const hasCritical = criticalVersion && compareVersions(criticalVersion, current) > 0;
-  if (hasCritical) {
-    log(`CRITICAL update required: ${current} → ${criticalVersion} (bypassing throttle)`);
-    force = true;
-  }
-
-  // Throttle (skipped when force or critical)
-  if (!force) {
-    const state = readState();
-    if (state.lastCheckAt) {
-      const hoursAgo = (Date.now() - state.lastCheckAt) / 3_600_000;
-      if (hoursAgo < THROTTLE_HOURS) return { skipped: "throttled" };
-    }
-  }
-
   const manifest = await fetchLatestManifest();
   const latest = manifest?.version || null;
   const tarballUrl = manifest?.dist?.tarball || null;
-  writeState({ lastCheckAt: Date.now(), lastSeenLatest: latest, current });
+  writeState({
+    ...readState(),
+    lastCheckAt: Date.now(),
+    lastSeenLatest: latest,
+    current,
+  });
 
   if (!latest) return { skipped: "registry unreachable" };
   if (compareVersions(latest, current) <= 0) return { uptodate: true, current };
@@ -213,7 +163,7 @@ export async function checkForUpdates({ force = false } = {}) {
   // If we clear the cache + exit during that window, next spawn fails.
   const ready = await isTarballReady(tarballUrl);
   if (!ready) {
-    log(`new version ${latest} not yet downloadable from CDN; will retry later`);
+    log(`new version ${latest} not yet downloadable from CDN; will retry on next spawn`);
     return { skipped: "tarball not ready" };
   }
 
@@ -223,6 +173,11 @@ export async function checkForUpdates({ force = false } = {}) {
   if (method === "npx") {
     log(`tarball verified — clearing npx cache so the next spawn pulls ${PKG_NAME}@${latest}`);
     updated = clearNpxCacheForPackage();
+    // Even if no cached dir matched, exit so npx re-resolves @latest on respawn.
+    if (!updated) {
+      log("no npx cache entry found; exiting anyway so the host re-resolves @latest");
+      updated = true;
+    }
   } else if (method === "global") {
     log(`tarball verified — running: npm install -g ${PKG_NAME}@latest`);
     updated = installGlobalLatest();