npm - alvin-bot - Versions diffs - 4.8.4 → 4.8.5 - Mend

alvin-bot 4.8.4 → 4.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md +25 -0
package/dist/services/updater.js +153 -57
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,31 @@
 All notable changes to Alvin Bot are documented here.
+## [4.8.5] — 2026-04-11
+### 🐛 `/update` now works for npm-global installs
+Caught on the test MacBook: `/update` reported *"Already up to date — no new commits"* even though npm had a newer version published. Root cause was two separate bugs feeding into each other.
+**Bug 1 — false git-repo detection**. `isGitRepo()` used `git rev-parse --is-inside-work-tree` which walks up the directory tree looking for any ancestor `.git` folder. On the test MacBook, `alvin-bot` was installed at `/opt/homebrew/lib/node_modules/alvin-bot/` which has no `.git` itself — but Homebrew stores its formula tree at `/opt/homebrew/` as a git repo. So `git rev-parse` walked up, found Homebrew's `.git`, and returned `true`. The updater then dutifully fetched Homebrew's upstream (which was up-to-date), found 0 new commits, and reported "Already up to date" — about the wrong repository.
+**Fix**: `isOwnGitRepo()` now does a strict check for `PROJECT_ROOT/.git` directly, no directory walk. False positives from ancestor git repos are impossible.
+**Bug 2 — no update path for npm-global installs**. Even with a correct `isGitRepo()` check, the updater would return *"Not in a git repo — update only supported for source installs."* for npm-global installs. That meant you could never update an npm-installed alvin-bot from within the bot itself.
+**Fix**: New `runNpmUpdate()` path that kicks in when `PROJECT_ROOT` looks like a `node_modules/alvin-bot` install (covers Homebrew node, plain npm, nvm, volta). It:
+1. Reads the local version from `package.json`
+2. Queries `npm view alvin-bot version` for the latest published version
+3. Compares via a tiny semver compare
+4. If newer: runs `npm install -g alvin-bot@latest --no-audit --no-fund` (5 minute timeout)
+5. Signals the caller to restart so the new code takes effect
+6. Detects `EACCES` and suggests `sudo` explicitly instead of a cryptic error
+Also improved the git path: falls back to `npm install` + `npm run build` when `pnpm-lock.yaml` doesn't exist (previously hard-coded pnpm).
+After 4.8.5, `/update` on the test MacBook will correctly detect the npm install, see that v4.8.4 is the latest, fetch it, and restart. No more false-positive "up to date" when a newer release is out.
 ## [4.8.4] — 2026-04-11
 ### 🐛 WhatsApp self-chat detection for the new `@lid` identity format

package/dist/services/updater.js CHANGED Viewed

@@ -25,83 +25,179 @@ const DATA_DIR = process.env.ALVIN_DATA_DIR || resolve(os.homedir(), ".alvin-bot
 const FLAG_FILE = resolve(DATA_DIR, "auto-update.flag");
 const AUTO_CHECK_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6 hours
 let autoTimer = null;
-async function isGitRepo() {
+/**
+ * Is PROJECT_ROOT itself a git repository? We deliberately do NOT use
+ * `git rev-parse --is-inside-work-tree` because that walks UP the
+ * directory tree and would return true for any ancestor that happens
+ * to be a git repo — e.g. Homebrew stores its formula tree in a git
+ * repo at /opt/homebrew/, so a npm-global install of alvin-bot under
+ * /opt/homebrew/lib/node_modules/alvin-bot would be reported as a git
+ * repo even though it's just plain files shipped via npm.
+ *
+ * The strict check: does PROJECT_ROOT/.git exist?
+ */
+function isOwnGitRepo() {
+    return fs.existsSync(resolve(PROJECT_ROOT, ".git"));
+}
+/**
+ * Heuristic for "this is an npm-global install": PROJECT_ROOT sits
+ * inside a node_modules/alvin-bot directory. Covers:
+ *   - /opt/homebrew/lib/node_modules/alvin-bot (Homebrew node)
+ *   - /usr/local/lib/node_modules/alvin-bot (plain npm)
+ *   - ~/.nvm/versions/node/...alvin-bot (nvm)
+ *   - ~/.volta/tools/image/packages/...alvin-bot (volta)
+ */
+function isNpmGlobalInstall() {
+    return /node_modules[/\\]alvin-bot$/.test(PROJECT_ROOT) || PROJECT_ROOT.includes("node_modules/alvin-bot/");
+}
+function readLocalVersion() {
     try {
-        const { stdout } = await execAsync("git rev-parse --is-inside-work-tree", {
-            cwd: PROJECT_ROOT,
-            timeout: 5_000,
+        const pkgPath = resolve(PROJECT_ROOT, "package.json");
+        const raw = fs.readFileSync(pkgPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        return parsed.version ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+async function fetchRemoteVersion() {
+    try {
+        const { stdout } = await execAsync("npm view alvin-bot version", {
+            timeout: 15_000,
         });
-        return stdout.trim() === "true";
+        return stdout.trim() || null;
     }
     catch {
-        return false;
+        return null;
+    }
+}
+/** Semver-compare A vs B. Returns negative if A < B, 0 if equal, positive if A > B. */
+function compareSemver(a, b) {
+    const norm = (v) => v.replace(/^v/, "").split(/[.-]/).map((p) => parseInt(p, 10) || 0);
+    const av = norm(a);
+    const bv = norm(b);
+    for (let i = 0; i < Math.max(av.length, bv.length); i++) {
+        const diff = (av[i] ?? 0) - (bv[i] ?? 0);
+        if (diff !== 0)
+            return diff;
     }
+    return 0;
 }
 /** Pull latest changes, install deps, rebuild. Returns a structured result
- * instead of throwing so the /update command can report cleanly to Telegram. */
+ *  instead of throwing so the /update command can report cleanly to Telegram.
+ *  Dispatches to the git path for source installs and the npm path for
+ *  npm-global installs. */
 export async function runUpdate() {
     try {
-        const isRepo = await isGitRepo();
-        if (!isRepo) {
-            return {
-                ok: false,
-                message: "Not in a git repo — update only supported for source installs.",
-                requiresRestart: false,
-            };
-        }
-        // Fetch latest without merging
-        await execAsync("git fetch --quiet", {
-            cwd: PROJECT_ROOT,
-            timeout: 30_000,
-        });
-        // Count commits we're behind the upstream
-        let behindCount = 0;
-        try {
-            const { stdout } = await execAsync("git rev-list --count HEAD..@{upstream}", {
-                cwd: PROJECT_ROOT,
-                timeout: 10_000,
-            });
-            behindCount = parseInt(stdout.trim() || "0", 10);
-        }
-        catch {
-            // No upstream configured — treat as up-to-date
-            behindCount = 0;
+        if (isOwnGitRepo()) {
+            return await runGitUpdate();
         }
-        if (behindCount === 0) {
-            return {
-                ok: true,
-                message: "Already up to date — no new commits.",
-                requiresRestart: false,
-            };
+        if (isNpmGlobalInstall()) {
+            return await runNpmUpdate();
         }
-        // Fast-forward pull (refuses to merge if history diverged)
-        await execAsync("git pull --ff-only", {
-            cwd: PROJECT_ROOT,
-            timeout: 60_000,
-        });
-        // Install (frozen lockfile to match upstream exactly)
-        await execAsync("pnpm install --frozen-lockfile", {
-            cwd: PROJECT_ROOT,
-            timeout: 180_000,
-        });
-        // Build
-        await execAsync("pnpm run build", {
+        return {
+            ok: false,
+            message: "Update not supported for this install type. Clone the git repo or use npm install -g alvin-bot.",
+            requiresRestart: false,
+        };
+    }
+    catch (err) {
+        const raw = err instanceof Error ? err.message : String(err);
+        const message = raw.length > 300 ? raw.slice(0, 300) + "…" : raw;
+        return { ok: false, message, requiresRestart: false };
+    }
+}
+async function runGitUpdate() {
+    // Fetch latest without merging
+    await execAsync("git fetch --quiet", {
+        cwd: PROJECT_ROOT,
+        timeout: 30_000,
+    });
+    // Count commits we're behind the upstream
+    let behindCount = 0;
+    try {
+        const { stdout } = await execAsync("git rev-list --count HEAD..@{upstream}", {
             cwd: PROJECT_ROOT,
-            timeout: 180_000,
+            timeout: 10_000,
         });
+        behindCount = parseInt(stdout.trim() || "0", 10);
+    }
+    catch {
+        behindCount = 0;
+    }
+    if (behindCount === 0) {
+        return {
+            ok: true,
+            message: "Already up to date — no new commits.",
+            requiresRestart: false,
+        };
+    }
+    // Fast-forward pull
+    await execAsync("git pull --ff-only", {
+        cwd: PROJECT_ROOT,
+        timeout: 60_000,
+    });
+    // Prefer pnpm if the lockfile exists, otherwise fall back to npm
+    const hasPnpmLock = fs.existsSync(resolve(PROJECT_ROOT, "pnpm-lock.yaml"));
+    const installCmd = hasPnpmLock ? "pnpm install --frozen-lockfile" : "npm install --no-audit --no-fund";
+    const buildCmd = hasPnpmLock ? "pnpm run build" : "npm run build";
+    await execAsync(installCmd, { cwd: PROJECT_ROOT, timeout: 180_000 });
+    await execAsync(buildCmd, { cwd: PROJECT_ROOT, timeout: 180_000 });
+    return {
+        ok: true,
+        message: `Installed ${behindCount} commit(s), build successful.`,
+        requiresRestart: true,
+    };
+}
+async function runNpmUpdate() {
+    const current = readLocalVersion();
+    const latest = await fetchRemoteVersion();
+    if (!latest) {
+        return {
+            ok: false,
+            message: "Could not reach npm registry — check your internet connection.",
+            requiresRestart: false,
+        };
+    }
+    if (current && compareSemver(current, latest) >= 0) {
         return {
             ok: true,
-            message: `Installed ${behindCount} commit(s), build successful.`,
-            requiresRestart: true,
+            message: `Already up to date — v${current} is the latest published version.`,
+            requiresRestart: false,
         };
     }
+    // Newer version exists — install it globally. npm install -g writes to
+    // the globally-scoped node_modules directory (/opt/homebrew/lib/… on
+    // Homebrew, /usr/local/lib/… on plain npm). The running process still
+    // has the old code loaded in memory, so after install we signal the
+    // caller to restart.
+    try {
+        await execAsync("npm install -g alvin-bot@latest --no-audit --no-fund", {
+            timeout: 300_000, // 5 minutes for large installs
+        });
+    }
     catch (err) {
         const raw = err instanceof Error ? err.message : String(err);
-        // Keep error messages short — Telegram has a 4096 char limit and the
-        // user doesn't need a 50-line stack trace.
-        const message = raw.length > 300 ? raw.slice(0, 300) + "…" : raw;
-        return { ok: false, message, requiresRestart: false };
+        // Permission errors are the most common npm -g failure mode
+        if (/EACCES|permission denied/i.test(raw)) {
+            return {
+                ok: false,
+                message: `npm install -g failed with permissions. Try: sudo npm install -g alvin-bot@latest`,
+                requiresRestart: false,
+            };
+        }
+        return {
+            ok: false,
+            message: `npm install failed: ${raw.slice(0, 200)}`,
+            requiresRestart: false,
+        };
     }
+    return {
+        ok: true,
+        message: `Installed v${latest} (was v${current ?? "?"}). Restarting...`,
+        requiresRestart: true,
+    };
 }
 export function getAutoUpdate() {
     try {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.8.4",
+  "version": "4.8.5",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",