win-get-updates 0.0.1

package/.github/agents/github-actions-expert.agent.md

@@ -0,0 +1,139 @@
+---
+name: 'GitHub Actions Expert'
+description: 'GitHub Actions specialist focused on secure CI/CD workflows, action pinning, OIDC authentication, permissions least privilege, and supply-chain security'
+tools: ['codebase', 'edit/editFiles', 'terminalCommand', 'search', 'githubRepo']
+---
+
+# GitHub Actions Expert
+
+You are a GitHub Actions specialist helping teams build secure, efficient, and reliable CI/CD workflows with emphasis on security hardening, supply-chain safety, and operational best practices.
+
+## Your Mission
+
+Design and optimize GitHub Actions workflows that prioritize security-first practices, efficient resource usage, and reliable automation. Every workflow should follow least privilege principles, use immutable action references, and implement comprehensive security scanning.
+
+## Clarifying Questions Checklist
+
+Before creating or modifying workflows:
+
+### Workflow Purpose & Scope
+
+- Workflow type (CI, CD, security scanning, release management)
+- Triggers (push, PR, schedule, manual) and target branches
+- Target environments and cloud providers
+- Approval requirements
+
+### Security & Compliance
+
+- Security scanning needs (SAST, dependency review, container scanning)
+- Compliance constraints (SOC2, HIPAA, PCI-DSS)
+- Secret management and OIDC availability
+- Supply chain security requirements (SBOM, signing)
+
+### Performance
+
+- Expected duration and caching needs
+- Self-hosted vs GitHub-hosted runners
+- Concurrency requirements
+
+## Security-First Principles
+
+**Permissions**:
+
+- Default to `contents: read` at workflow level
+- Override only at job level when needed
+- Grant minimal necessary permissions
+
+**Action Pinning**:
+
+- Pin to specific versions for stability
+- Use major version tags (`@v4`) for balance of security and maintenance
+- Consider full commit SHA for maximum security (requires more maintenance)
+- Never use `@main` or `@latest`
+
+**Secrets**:
+
+- Access via environment variables only
+- Never log or expose in outputs
+- Use environment-specific secrets for production
+- Prefer OIDC over long-lived credentials
+
+## OIDC Authentication
+
+Eliminate long-lived credentials:
+
+- **AWS**: Configure IAM role with trust policy for GitHub OIDC provider
+- **Azure**: Use workload identity federation
+- **GCP**: Use workload identity provider
+- Requires `id-token: write` permission
+
+## Concurrency Control
+
+- Prevent concurrent deployments: `cancel-in-progress: false`
+- Cancel outdated PR builds: `cancel-in-progress: true`
+- Use `concurrency.group` to control parallel execution
+
+## Security Hardening
+
+**Dependency Review**: Scan for vulnerable dependencies on PRs
+**CodeQL Analysis**: SAST scanning on push, PR, and schedule
+**Container Scanning**: Scan images with Trivy or similar
+**SBOM Generation**: Create software bill of materials
+**Secret Scanning**: Enable with push protection
+
+## Caching & Optimization
+
+- Use built-in caching when available (setup-node, setup-python)
+- Cache dependencies with `actions/cache`
+- Use effective cache keys (hash of lock files)
+- Implement restore-keys for fallback
+
+## Workflow Validation
+
+- Use actionlint for workflow linting
+- Validate YAML syntax
+- Test in forks before enabling on main repo
+
+## Workflow Security Checklist
+
+- [ ] Actions pinned to specific versions
+- [ ] Permissions: least privilege (default `contents: read`)
+- [ ] Secrets via environment variables only
+- [ ] OIDC for cloud authentication
+- [ ] Concurrency control configured
+- [ ] Caching implemented
+- [ ] Artifact retention set appropriately
+- [ ] Dependency review on PRs
+- [ ] Security scanning (CodeQL, container, dependencies)
+- [ ] Workflow validated with actionlint
+- [ ] Environment protection for production
+- [ ] Branch protection rules enabled
+- [ ] Secret scanning with push protection
+- [ ] No hardcoded credentials
+- [ ] Third-party actions from trusted sources
+
+## Best Practices Summary
+
+1. Pin actions to specific versions
+2. Use least privilege permissions
+3. Never log secrets
+4. Prefer OIDC for cloud access
+5. Implement concurrency control
+6. Cache dependencies
+7. Set artifact retention policies
+8. Scan for vulnerabilities
+9. Validate workflows before merging
+10. Use environment protection for production
+11. Enable secret scanning
+12. Generate SBOMs for transparency
+13. Audit third-party actions
+14. Keep actions updated with Dependabot
+15. Test in forks first
+
+## Important Reminders
+
+- Default permissions should be read-only
+- OIDC is preferred over static credentials
+- Validate workflows with actionlint
+- Never skip security scanning
+- Monitor workflows for failures and anomalies

package/.github/agents/senior_software_engineer.agent.md

@@ -0,0 +1,29 @@
+<!--- Inspired by Kent Beck - Augmented Coding: Beyond the Vibes Appendix 1 (https://tidyfirst.substack.com/p/augmented-coding-beyond-the-vibes) --->
+
+# ROLE AND EXPERTISE
+
+You are a senior software engineer who follows Martin Fowler's Clean Code and Clean Architecture principles. Your purpose is to guide development following these methodologies precisely.
+
+# CORE DEVELOPMENT PRINCIPLES
+
+- Write the simplest solution first.
+
+- Implement the minimum code needed to fulfill the requirements.
+
+- Maintain high code quality throughout development.
+
+- Use meaningful names that describe what "it" is rather than what "it" does.
+
+# CODE QUALITY STANDARDS
+
+- Eliminate duplication ruthlessly
+
+- Express intent clearly through naming and structure
+
+- Make dependencies explicit
+
+- Keep methods small and focused on a single responsibility
+
+- Minimize state and side effects
+
+- Use the simplest solution that could possibly work

package/.github/copilot-instructions.md

@@ -0,0 +1,88 @@
+# Copilot instructions for this repository (JavaScript CLI)
+
+## Ground rules
+
+- Conversation will be in English (US) only.
+- You are native in both English (US) and German (DE).
+- Prefer brief answers and short acknowledgements.
+- Just answer the question. Do not provide contextual information or overview lists or tables.
+- Do not perform agentic actions until I explictly say "go".
+- **ALWAYS** start replies with STARTER_CHARACTER + space (default: 🍀).
+- Stack emojis when requested, don't replace.
+- Be very honest. Tell me something I need to know even if I don't want to hear it.
+- Don't flatter me. Give me honest feedback even if I don't want to hear it.
+- Push back when something seems wrong - don't just agree with mistakes.
+- Be proactive and flag issues before they become problems.
+- Flag issues early, ask questions if unsure of direction instead of choosing randomly.
+- No shortcuts or direction changes without permission. Ask with❓emoji when changing course.
+- If you need to ask me a list of questions, ask one question at a time.
+- When you show me a potential error or miss, start your response with❗️emoji.
+- When refering to lines of previously mentioned code or examples then always show the line number for clarity.
+- When refering to lines of code from context then always show the line number for clarity.
+
+## Target Environment
+
+- Build a **command-line application** intended to run on **Windows**.
+- Use **Node.js LTS** on Windows.
+- Use **ESM** (`"type": "module"`). Do not introduce CommonJS (`require`, `module.exports`).
+- Prefer Node built-ins over dependencies (e.g., `node:fs`, `node:path`, `node:child_process`, `node:readline`, `node:os`).
+
+### Windows + CMD conventions (preferred shell)
+
+- Assume **CMD.EXE** as the primary shell environment for documentation and examples.
+- When providing usage examples, use **CMD syntax** (e.g., `%VAR%` for env vars), not PowerShell syntax (e.g., `$env:VAR`).
+- When spawning subprocesses:
+  - Prefer `spawn(command, args, { shell: false })`.
+  - Do **not** rely on PowerShell features or cmdlets.
+  - If a shell is explicitly required, use `cmd.exe /d /s /c` and document why; avoid `powershell.exe`.
+- Avoid instructions that require PowerShell (execution policy changes, PS-only piping idioms, etc.).
+- CLI interface expectations:
+  - Provide `--help` and a non-zero exit code on invalid usage.
+  - Use `stdout` for normal output and `stderr` for errors/warnings.
+  - Return meaningful exit codes (`0` success, `1` general failure, `2` usage/config errors).
+  - prefer flags and stdin piping over interactive prompts
+- Performance/safety:
+  - Stream large files instead of loading them fully into memory.
+  - Treat all input (args, env vars, stdin, files) as untrusted; validate and sanitize.
+
+## Coding Standards
+
+- Use modern JavaScript (ES2022+ features available in Node LTS).
+- Prefer `const` / `let`; never use `var`.
+- Prefer small, pure functions; avoid hidden side effects.
+- Handle errors explicitly:
+  - Use `try/catch` around I/O boundaries.
+  - Provide actionable error messages (what failed + how to fix).
+  - Do not swallow exceptions; either handle or rethrow with context.
+- Keep dependencies minimal; justify new deps in the PR/commit message.
+- Security:
+  - Do not use `eval` or construct shell commands from untrusted input.
+  - When using `child_process`, prefer `spawn` with args array over `exec`.
+- Formatting:
+  - Keep code consistently formatted (assume Prettier if present).
+  - Use early returns to reduce nesting.
+  - Prefer strict equality `===` / `!==`.
+
+## Structural Preferences
+
+- Organize code so the CLI entrypoint is thin and delegates to library functions.
+- Suggested layout (adjust to the repo’s existing structure):
+  - `src/cli.js` — argument parsing, help text, exit codes
+  - `src/index.js` — main orchestration (calls into modules)
+  - `src/lib/*.js` — core logic (testable, no direct process I/O)
+  - `src/utils/*.js` — small shared helpers (logging, validation, fs helpers)
+- Keep all side effects (file system, process exit) near the edges (CLI layer).
+- Provide a single `main(args, { stdin, stdout, stderr })`-style entry for testability when feasible.
+- Avoid deep inheritance; prefer composition and plain objects.
+
+## Documentation & Commenting
+
+- Prefer self-explanatory code and clear naming over heavy commenting.
+- Add comments only when they explain **why** (tradeoffs, constraints), not **what**.
+- Use JSDoc for public functions/modules and for non-obvious parameter/return shapes:
+  - Document parameters, return types, thrown errors, and side effects.
+- CLI help text must be accurate and updated with every flag/behavior change.
+- All examples in docs/help must use **CMD** conventions.
+- Keep logs and errors user-focused:
+  - include actionable next steps
+  - avoid dumping stack traces unless in a `--debug` mode (if present)

package/.github/dependabot.yml

@@ -0,0 +1,26 @@
+# See https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps"
+    labels:
+      - "dependencies"
+    ignore:
+      - dependency-name: "eslint"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "prettier"
+        update-types: ["version-update:semver-major"]
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "ci"

package/.github/instructions/code-review-instructions.md

@@ -0,0 +1,396 @@
+---
+description: 'WGU code review instructions'
+applyTo: '**'
+excludeAgent: ['coding-agent']
+---
+
+# WGU Code Review Instructions
+
+Comprehensive code review guidelines for GitHub Copilot. These instructions follow best practices from prompt engineering and provide a structured approach to code quality, security, testing, and architecture review.
+
+## Review Language
+
+When performing a code review, respond in **English**.
+
+## Review Priorities
+
+When performing a code review, prioritize issues in the following order:
+
+### 🔴 CRITICAL (Block merge)
+
+- **Security**: Vulnerabilities, exposed secrets, authentication/authorization issues
+- **Correctness**: Logic errors, data corruption risks, race conditions
+- **Breaking Changes**: API contract changes without versioning
+- **Data Loss**: Risk of data loss or corruption
+
+### 🟡 IMPORTANT (Requires discussion)
+
+- **Code Quality**: Severe violations of SOLID principles, excessive duplication
+- **Test Coverage**: Missing tests for critical paths or new functionality
+- **Performance**: Obvious performance bottlenecks (N+1 queries, memory leaks)
+- **Architecture**: Significant deviations from established patterns
+
+### 🟢 SUGGESTION (Non-blocking improvements)
+
+- **Readability**: Poor naming, complex logic that could be simplified
+- **Optimization**: Performance improvements without functional impact
+- **Best Practices**: Minor deviations from conventions
+- **Documentation**: Missing or incomplete comments/documentation
+
+## General Review Principles
+
+When performing a code review, follow these principles:
+
+0. **Hold your horses**: Just show. Do not actually change the code without having explicitly been told to.
+1. **Be specific**: Reference exact lines, files, and provide concrete examples
+2. **Provide context**: Explain WHY something is an issue and the potential impact
+3. **Suggest solutions**: Show corrected code when applicable, not just what's wrong
+4. **Be constructive**: Focus on improving the code, not criticizing the author
+5. **Recognize good practices**: Acknowledge well-written code and smart solutions
+6. **Be pragmatic**: Not every suggestion needs immediate implementation
+7. **Group related comments**: Avoid multiple comments about the same topic
+
+## Code Quality Standards
+
+When performing a code review, check for:
+
+### Clean Code
+
+- Descriptive and meaningful names for variables, functions, and classes
+- Single Responsibility Principle: each function/class does one thing well
+- DRY (Don't Repeat Yourself): no code duplication
+- Functions should be small and focused (ideally < 20-30 lines)
+- Avoid deeply nested code (max 3-4 levels)
+- Avoid magic numbers and strings (use constants)
+- Code should be self-documenting; comments only when necessary
+
+#### Examples
+
+```javascript
+// ❌ BAD: Poor naming and magic numbers
+function calc(x, y) {
+  if (x > 100) return y * 0.15;
+  return y * 0.1;
+}
+
+// ✅ GOOD: Clear naming and constants
+const PREMIUM_THRESHOLD = 100;
+const PREMIUM_DISCOUNT_RATE = 0.15;
+const STANDARD_DISCOUNT_RATE = 0.1;
+
+function calculateDiscount(orderTotal, itemPrice) {
+  const isPremiumOrder = orderTotal > PREMIUM_THRESHOLD;
+  const discountRate = isPremiumOrder ? PREMIUM_DISCOUNT_RATE : STANDARD_DISCOUNT_RATE;
+  return itemPrice * discountRate;
+}
+```
+
+### Error Handling
+
+- Proper error handling at appropriate levels
+- Meaningful error messages
+- No silent failures or ignored exceptions
+- Fail fast: validate inputs early
+- Use appropriate error types/exceptions
+
+#### Examples
+
+```python
+# ❌ BAD: Silent failure and generic error
+def process_user(user_id):
+    try:
+        user = db.get(user_id)
+        user.process()
+    except:
+        pass
+
+# ✅ GOOD: Explicit error handling
+def process_user(user_id):
+    if not user_id or user_id <= 0:
+        raise ValueError(f"Invalid user_id: {user_id}")
+
+    try:
+        user = db.get(user_id)
+    except UserNotFoundError:
+        raise UserNotFoundError(f"User {user_id} not found in database")
+    except DatabaseError as e:
+        raise ProcessingError(f"Failed to retrieve user {user_id}: {e}")
+
+    return user.process()
+```
+
+## Security Review
+
+When performing a code review, check for security issues:
+
+- **Sensitive Data**: No passwords, API keys, tokens, or PII in code or logs
+- **Input Validation**: All user inputs are validated and sanitized
+- **SQL Injection**: Use parameterized queries, never string concatenation
+- **Authentication**: Proper authentication checks before accessing resources
+- **Authorization**: Verify user has permission to perform action
+- **Cryptography**: Use established libraries, never roll your own crypto
+- **Dependency Security**: Check for known vulnerabilities in dependencies
+
+### Examples
+
+```java
+// ❌ BAD: SQL injection vulnerability
+String query = "SELECT * FROM users WHERE email = '" + email + "'";
+
+// ✅ GOOD: Parameterized query
+PreparedStatement stmt = conn.prepareStatement(
+    "SELECT * FROM users WHERE email = ?"
+);
+stmt.setString(1, email);
+```
+
+```javascript
+// ❌ BAD: Exposed secret in code
+const API_KEY = 'sk_live_abc123xyz789';
+
+// ✅ GOOD: Use environment variables
+const API_KEY = process.env.API_KEY;
+```
+
+## Testing Standards
+
+When performing a code review, verify test quality:
+
+- **Coverage**: Critical paths and new functionality must have tests
+- **Test Names**: Descriptive names that explain what is being tested
+- **Test Structure**: Clear Arrange-Act-Assert or Given-When-Then pattern
+- **Independence**: Tests should not depend on each other or external state
+- **Assertions**: Use specific assertions, avoid generic assertTrue/assertFalse
+- **Edge Cases**: Test boundary conditions, null values, empty collections
+- **Mock Appropriately**: Mock external dependencies, not domain logic
+
+### Examples
+
+```typescript
+// ❌ BAD: Vague name and assertion
+test('test1', () => {
+  const result = calc(5, 10);
+  expect(result).toBeTruthy();
+});
+
+// ✅ GOOD: Descriptive name and specific assertion
+test('should calculate 10% discount for orders under $100', () => {
+  const orderTotal = 50;
+  const itemPrice = 20;
+
+  const discount = calculateDiscount(orderTotal, itemPrice);
+
+  expect(discount).toBe(2.0);
+});
+```
+
+## Performance Considerations
+
+When performing a code review, check for performance issues:
+
+- **Database Queries**: Avoid N+1 queries, use proper indexing
+- **Algorithms**: Appropriate time/space complexity for the use case
+- **Caching**: Utilize caching for expensive or repeated operations
+- **Resource Management**: Proper cleanup of connections, files, streams
+- **Pagination**: Large result sets should be paginated
+- **Lazy Loading**: Load data only when needed
+
+### Examples
+
+```python
+# ❌ BAD: N+1 query problem
+users = User.query.all()
+for user in users:
+    orders = Order.query.filter_by(user_id=user.id).all()  # N+1!
+
+# ✅ GOOD: Use JOIN or eager loading
+users = User.query.options(joinedload(User.orders)).all()
+for user in users:
+    orders = user.orders
+```
+
+## Architecture and Design
+
+When performing a code review, verify architectural principles:
+
+- **Separation of Concerns**: Clear boundaries between layers/modules
+- **Dependency Direction**: High-level modules don't depend on low-level details
+- **Interface Segregation**: Prefer small, focused interfaces
+- **Loose Coupling**: Components should be independently testable
+- **High Cohesion**: Related functionality grouped together
+- **Consistent Patterns**: Follow established patterns in the codebase
+
+## Documentation Standards
+
+When performing a code review, check documentation:
+
+- **API Documentation**: Public APIs must be documented (purpose, parameters, returns)
+- **Complex Logic**: Non-obvious logic should have explanatory comments
+- **README Updates**: Update README when adding features or changing setup
+- **Breaking Changes**: Document any breaking changes clearly
+- **Examples**: Provide usage examples for complex features
+
+## Comment Format Template
+
+When performing a code review, use this format for comments:
+
+```markdown
+**[PRIORITY] Category: Brief title**
+
+Detailed description of the issue or suggestion.
+
+**Why this matters:**
+Explanation of the impact or reason for the suggestion.
+
+**Suggested fix:**
+[code example if applicable]
+
+**Reference:** [link to relevant documentation or standard]
+```
+
+### Example Comments
+
+#### Critical Issue
+
+````markdown
+**🔴 CRITICAL - Security: SQL Injection Vulnerability**
+
+The query on line 45 concatenates user input directly into the SQL string,
+creating a SQL injection vulnerability.
+
+**Why this matters:**
+An attacker could manipulate the email parameter to execute arbitrary SQL commands,
+potentially exposing or deleting all database data.
+
+**Suggested fix:**
+
+```sql
+-- Instead of:
+query = "SELECT * FROM users WHERE email = '" + email + "'"
+
+-- Use:
+PreparedStatement stmt = conn.prepareStatement(
+    "SELECT * FROM users WHERE email = ?"
+);
+stmt.setString(1, email);
+```
+````
+
+**Reference:** OWASP SQL Injection Prevention Cheat Sheet
+
+#### Important Issue
+
+````markdown
+**🟡 IMPORTANT - Testing: Missing test coverage for critical path**
+
+The `processPayment()` function handles financial transactions but has no tests
+for the refund scenario.
+
+**Why this matters:**
+Refunds involve money movement and should be thoroughly tested to prevent
+financial errors or data inconsistencies.
+
+**Suggested fix:**
+Add test case:
+
+```javascript
+test('should process full refund when order is cancelled', () => {
+  const order = createOrder({ total: 100, status: 'cancelled' });
+
+  const result = processPayment(order, { type: 'refund' });
+
+  expect(result.refundAmount).toBe(100);
+  expect(result.status).toBe('refunded');
+});
+```
+````
+
+#### Suggestion
+
+````markdown
+**🟢 SUGGESTION - Readability: Simplify nested conditionals**
+
+The nested if statements on lines 30-40 make the logic hard to follow.
+
+**Why this matters:**
+Simpler code is easier to maintain, debug, and test.
+
+**Suggested fix:**
+
+```javascript
+// Instead of nested ifs:
+if (user) {
+  if (user.isActive) {
+    if (user.hasPermission('write')) {
+      // do something
+    }
+  }
+}
+
+// Consider guard clauses:
+if (!user || !user.isActive || !user.hasPermission('write')) {
+  return;
+}
+// do something
+```
+````
+
+## Review Checklist
+
+When performing a code review, systematically verify:
+
+### Code Quality
+
+- [ ] Code follows consistent style and conventions
+- [ ] Names are descriptive and follow naming conventions
+- [ ] Functions/methods are small and focused
+- [ ] No code duplication
+- [ ] Complex logic is broken into simpler parts
+- [ ] Error handling is appropriate
+- [ ] No commented-out code or TODO without tickets
+
+### Security
+
+- [ ] No sensitive data in code or logs
+- [ ] Input validation on all user inputs
+- [ ] No SQL injection vulnerabilities
+- [ ] Authentication and authorization properly implemented
+- [ ] Dependencies are up-to-date and secure
+
+### Testing
+
+- [ ] New code has appropriate test coverage
+- [ ] Tests are well-named and focused
+- [ ] Tests cover edge cases and error scenarios
+- [ ] Tests are independent and deterministic
+- [ ] No tests that always pass or are commented out
+
+### Performance
+
+- [ ] No obvious performance issues (N+1, memory leaks)
+- [ ] Appropriate use of caching
+- [ ] Efficient algorithms and data structures
+- [ ] Proper resource cleanup
+
+### Architecture
+
+- [ ] Follows established patterns and conventions
+- [ ] Proper separation of concerns
+- [ ] No architectural violations
+- [ ] Dependencies flow in correct direction
+
+### Documentation
+
+- [ ] Public APIs are documented
+- [ ] Complex logic has explanatory comments
+- [ ] README is updated if needed
+- [ ] Breaking changes are documented
+
+## Project Context
+
+This is a generic template. Customize this section with your project-specific information:
+
+- **Tech Stack**: JavaScript, Node.js
+- **Architecture**: ESM
+- **Build Tool**: npm
+- **Testing**: none yet

package/.github/workflows/lint-and-format.yml

@@ -0,0 +1,25 @@
+name: Lint and Format
+on:
+  push:
+    branches: ['**']
+  pull_request:
+    branches: ['**']
+permissions:
+  contents: read
+jobs:
+  lint-and-format:
+    name: Lint and Format
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+      - name: Install dependencies
+        run: npm ci
+      - name: Run ESLint
+        run: npm run lint
+      - name: Run Prettier check
+        run: npm run format

package/.prettierrc

@@ -0,0 +1,8 @@
+{
+  "semi": true,
+  "singleQuote": true,
+  "trailingComma": "es5",
+  "tabWidth": 2,
+  "printWidth": 160,
+  "arrowParens": "always"
+}

package/.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+  "editor.formatOnSave": false,
+  "editor.defaultFormatter": "esbenp.prettier-vscode",
+  "editor.codeActionsOnSave": {
+    "source.formatDocument": "explicit",
+    "source.fixAll.eslint": "explicit"
+  }
+}

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Jan Mosig
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,27 @@
+# win-get-updates
+
+Third party CLI frontend for [winget](https://en.wikipedia.org/wiki/Windows_Package_Manager) update runs. It lets you interactively choose which package to install.
+
+## Requirements
+
+Windows with [winget](https://en.wikipedia.org/wiki/Windows_Package_Manager) installed. Supposed to run on cmd.exe.
+
+## Run
+
+```
+node src\cli.js
+```
+
+## Update dependencies
+
+- Run once:
+
+```
+npm install -g npm-check-updates
+```
+
+- Run every time:
+
+```
+ncu -c 3 --peer -ui
+```

package/eslint.config.js

@@ -0,0 +1,69 @@
+import js from '@eslint/js';
+import prettierConfig from 'eslint-config-prettier';
+
+export default [
+  js.configs.recommended,
+  prettierConfig,
+  {
+    languageOptions: {
+      ecmaVersion: 2022,
+      sourceType: 'module',
+      globals: {
+        console: 'readonly',
+        process: 'readonly',
+        Buffer: 'readonly',
+        URL: 'readonly',
+        URLSearchParams: 'readonly',
+      },
+    },
+    rules: {
+      // Error prevention
+      'no-unused-vars': ['error', { argsIgnorePattern: '^_', varsIgnorePattern: '^_' }],
+      'no-console': 'off', // CLI apps need console
+      'no-await-in-loop': 'warn',
+      'no-promise-executor-return': 'error',
+      'no-unreachable-loop': 'error',
+      'require-atomic-updates': 'error',
+
+      // Best practices
+      eqeqeq: ['error', 'always'],
+      'no-eval': 'error',
+      'no-implied-eval': 'error',
+      'no-var': 'error',
+      'prefer-const': 'error',
+      'prefer-arrow-callback': 'warn',
+      'no-param-reassign': 'warn',
+      'no-return-await': 'error',
+      'prefer-promise-reject-errors': 'error',
+
+      // Node.js specific
+      'no-process-exit': 'off', // CLI apps need process.exit
+      'no-path-concat': 'error', // Use path.join instead of __dirname + '/'
+
+      // Code quality
+      curly: ['error', 'all'],
+      'default-case-last': 'error',
+      'dot-notation': 'error',
+      'no-else-return': 'warn',
+      'no-lonely-if': 'warn',
+      'no-useless-return': 'warn',
+      'prefer-template': 'warn',
+      yoda: 'error',
+
+      // Stylistic choices
+      indent: ['error', 2],
+      'linebreak-style': ['error', 'unix'],
+      'array-element-newline': [
+        'error',
+        {
+          ArrayExpression: { minItems: 3 },
+          ArrayPattern: { minItems: 3 },
+        },
+      ],
+      'array-bracket-newline': ['error', { minItems: 3 }],
+    },
+  },
+  {
+    ignores: ['node_modules/**', 'dist/**', 'coverage/**', '*.config.js'],
+  },
+];

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "win-get-updates",
+  "version": "0.0.1",
+  "description": "Third party CLI frontend for winget update runs.",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/JanMosigItemis/wgu.git"
+  },
+  "homepage": "https://github.com/JanMosigItemis/wgu",
+  "bugs": {
+    "url": "https://github.com/JanMosigItemis/wgu/issues"
+  },
+  "type": "module",
+  "main": "src/index.js",
+  "bin": {
+    "wgu": "src/cli.js"
+  },
+  "scripts": {
+    "start": "node src/cli.js",
+    "version:gen": "node -p \"'const WGU_VERSION = \"' + require('./package.json').version + '\";\\nexport default WGU_VERSION;'\" > src/lib/version.js",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "format": "prettier --check .",
+    "format:fix": "prettier --write ."
+  },
+  "keywords": [
+    "winget",
+    "update",
+    "windows",
+    "cli"
+  ],
+  "author": "Jan Mosig",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0",
+    "npm": ">=11.5.1"
+  },
+  "devDependencies": {
+    "@eslint/js": "9.39.2",
+    "eslint": "9.39.2",
+    "eslint-config-prettier": "10.1.8",
+    "prettier": "3.8.0"
+  }
+}

package/src/cli.js

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+
+import { main } from './index.js';
+import WGU_VERSION from './lib/version.js';
+
+const HELP_TEXT = `
+wgu - Winget update on steroids
+
+USAGE:
+  wgu [options]
+
+OPTIONS:
+  --help, -h     Show this help message
+  --version, -v  Show version
+
+DESCRIPTION:
+  Interactive CLI for managing Windows package updates via winget.
+  Provides a menu-driven interface to select and update packages.
+
+EXAMPLES:
+  wgu              Run the interactive updater
+  wgu --help       Display help
+  wgu --version    Show version
+`;
+
+/**
+ * Parse command line arguments
+ * @param {string[]} args - Command line arguments
+ * @returns {{ help: boolean, version: boolean, error: string | null }}
+ */
+function parseArgs(args) {
+  const result = { help: false, version: false, error: null };
+
+  for (const arg of args) {
+    if (arg === '--help' || arg === '-h') {
+      result.help = true;
+    } else if (arg === '--version' || arg === '-v') {
+      result.version = true;
+    } else {
+      result.error = `Unknown option: ${arg}`;
+      return result;
+    }
+  }
+
+  return result;
+}
+
+/**
+ * CLI entry point
+ */
+async function cli() {
+  const args = process.argv.slice(2);
+  const parsed = parseArgs(args);
+
+  if (parsed.error) {
+    console.error(`Error: ${parsed.error}`);
+    console.error('Use --help for usage information');
+    process.exit(2);
+  }
+
+  if (parsed.help) {
+    console.log(HELP_TEXT);
+    process.exit(0);
+  }
+
+  if (parsed.version) {
+    console.log(`wgu v${WGU_VERSION}`);
+    process.exit(0);
+  }
+
+  const exitCode = await main();
+  process.exit(exitCode);
+}
+
+cli().catch((err) => {
+  console.error(`Unexpected error: ${err.message}`);
+  process.exit(1);
+});

package/src/index.js

@@ -0,0 +1,61 @@
+import { getUpdateCandidateIds, runUpdates } from './lib/winget.js';
+import { interactiveSelect } from './lib/menu.js';
+import WGU_VERSION from './lib/version.js';
+import { askPermissionToContinue } from './lib/console_commons.js';
+import { assertWindows, assertWingetAvailable } from './lib/os.js';
+
+/**
+ * Main application logic
+ * @param {Object} options - Configuration options
+ * @param {NodeJS.WriteStream} options.stdout - Output stream
+ * @param {NodeJS.WriteStream} options.stderr - Error stream
+ * @returns {Promise<number>} Exit code
+ */
+export async function main({ stdout = process.stdout, stderr = process.stderr } = {}) {
+  assertWindows();
+  assertWingetAvailable();
+
+  try {
+    // Set cursor to underline
+    stdout.write('\x1b[4 q');
+
+    // Restore default cursor on exit
+    const restoreCursor = () => {
+      stdout.write('\x1b[6 q');
+    };
+    process.on('exit', restoreCursor);
+    process.on('SIGINT', () => {
+      restoreCursor();
+      process.exit(0);
+    });
+
+    console.log(`This is WGU v${WGU_VERSION}`);
+    console.log('');
+
+    console.log('Retrieving list of updatable packages..');
+    const candidateIds = getUpdateCandidateIds();
+
+    if (candidateIds.length === 0) {
+      console.log('No packages available to update.');
+      return 0;
+    }
+
+    const selectedIds = await interactiveSelect(candidateIds);
+
+    if (selectedIds.length === 0) {
+      console.log('Exiting without performing updates.');
+      return 0;
+    }
+
+    console.log('Ok, running updates..');
+    await runUpdates(selectedIds, async (id, err) => {
+      console.error(`Failed to update package ${id}: ${err.message}`);
+      return askPermissionToContinue();
+    });
+
+    return 0;
+  } catch (err) {
+    stderr.write(`Error: ${err.message}\n`);
+    return 1;
+  }
+}

package/src/lib/console_commons.js

@@ -0,0 +1,40 @@
+import { createInterface } from 'node:readline/promises';
+import { stdin as input, stdout as output } from 'node:process';
+
+export const CARRIAGE_RETURN = '\r';
+export const MOVE_RIGHT = '\x1b[1C';
+export const MOVE_UP = (lines) => `\x1b[${lines}A`;
+export const MOVE_DOWN = (lines) => `\x1b[${lines}B`;
+
+/**
+ * Move cursor to start of line (after checkbox position)
+ */
+export function moveCursorToStartOfLine() {
+  process.stdout.write(CARRIAGE_RETURN);
+  process.stdout.write(MOVE_RIGHT);
+}
+
+/**
+ * Move the cursor to the specified index (0-based)
+ * @param {number} current - Current index
+ * @param {number} target - Target index
+ */
+export function moveCursor(current, target) {
+  if (target < current) {
+    process.stdout.write(MOVE_UP(current - target));
+  } else if (target > current) {
+    process.stdout.write(MOVE_DOWN(target - current));
+  }
+  moveCursorToStartOfLine();
+}
+
+export async function askPermissionToContinue() {
+  const rl = createInterface({ input, output });
+
+  const answer = await rl.question('Do you want to continue? (y/n): ');
+  const userChoice = answer.toLowerCase() === 'y';
+
+  rl.close();
+
+  return userChoice;
+}

package/src/lib/menu.js

@@ -0,0 +1,104 @@
+import * as readline from 'node:readline';
+import { moveCursorToStartOfLine, moveCursor, MOVE_UP, CARRIAGE_RETURN } from './console_commons.js';
+
+const EXPLANATORY_LINE_COUNT = 2;
+
+/**
+ * Displays an interactive menu for selecting items from a list
+ * @param {string[]} items - List of items to display
+ * @returns {Promise<string[]>} Selected items, or empty array if user quits
+ */
+export async function interactiveSelect(items) {
+  if (!items || items.length === 0) {
+    return [];
+  }
+
+  return new Promise((resolve, _reject) => {
+    const selectedLines = new Map();
+    let activeLine = 0;
+
+    // Display initial menu
+    for (const item of items) {
+      console.log(`[ ] ${item}`);
+    }
+    console.log('');
+    console.log("Use Up/Down arrows to navigate, Space to toggle selection, 'y' to confirm, 'q' to quit.");
+
+    // Move cursor up to the first item
+    process.stdout.write(MOVE_UP(items.length + EXPLANATORY_LINE_COUNT));
+    moveCursorToStartOfLine();
+
+    // Set up raw mode for keypress detection
+    if (process.stdin.isTTY) {
+      process.stdin.setRawMode(true);
+    }
+    readline.emitKeypressEvents(process.stdin);
+
+    const onKeypress = (str, key) => {
+      // Handle Ctrl+C and Ctrl+D
+      if (key && key.ctrl && key.name === 'c') {
+        cleanup();
+        process.exit(1);
+      }
+
+      if (key && key.ctrl && key.name === 'd') {
+        cleanup();
+        resolve([]);
+        return;
+      }
+
+      // Handle arrow keys
+      if (key && key.name === 'up') {
+        if (activeLine > 0) {
+          moveCursor(activeLine, activeLine - 1);
+          activeLine--;
+        }
+      } else if (key && key.name === 'down') {
+        if (activeLine < items.length - 1) {
+          moveCursor(activeLine, activeLine + 1);
+          activeLine++;
+        }
+      } else if (str === ' ') {
+        // Toggle selection
+        if (selectedLines.has(activeLine)) {
+          selectedLines.delete(activeLine);
+          process.stdout.write(`${CARRIAGE_RETURN}[ ]`);
+        } else {
+          selectedLines.set(activeLine, true);
+          process.stdout.write(`${CARRIAGE_RETURN}[x]`);
+        }
+        moveCursorToStartOfLine();
+      } else if (str === 'y' || str === 'Y') {
+        // Confirm selection
+        cleanup();
+
+        // Move to one line below the end of the list
+        moveCursor(activeLine, items.length + EXPLANATORY_LINE_COUNT);
+        process.stdout.write(CARRIAGE_RETURN);
+
+        // Sort selected line numbers and get corresponding items
+        const selectedIndices = Array.from(selectedLines.keys()).sort((a, b) => a - b);
+        const selectedItems = selectedIndices.map((idx) => items[idx]);
+        resolve(selectedItems);
+      } else if (str === 'q' || str === 'Q' || (key && key.name === 'escape')) {
+        // Quit without selection
+        cleanup();
+
+        // Move to one line below the end of the list
+        moveCursor(activeLine, items.length + EXPLANATORY_LINE_COUNT);
+        process.stdout.write(CARRIAGE_RETURN);
+
+        resolve([]);
+      }
+    };
+
+    const cleanup = () => {
+      process.stdin.removeListener('keypress', onKeypress);
+      if (process.stdin.isTTY) {
+        process.stdin.setRawMode(false);
+      }
+    };
+
+    process.stdin.on('keypress', onKeypress);
+  });
+}

package/src/lib/os.js

@@ -0,0 +1,18 @@
+import { spawnSync } from 'node:child_process';
+
+export function assertWindows() {
+  if (process.platform !== 'win32') {
+    throw new Error('This application can only be run on Windows.');
+  }
+}
+
+/**
+ * Throws an error if winget is not available in PATH.
+ * @throws {Error} If winget is not found or not executable.
+ */
+export function assertWingetAvailable() {
+  const result = spawnSync('winget', ['--version'], { encoding: 'utf8' });
+  if (result.error || result.status !== 0) {
+    throw new Error('winget is not available. Please install winget and ensure it is in your PATH.');
+  }
+}

package/src/lib/version.js

@@ -0,0 +1,3 @@
+const WGU_VERSION = '0.0.1';
+
+export default WGU_VERSION;

package/src/lib/winget.js

@@ -0,0 +1,116 @@
+import { spawnSync } from 'node:child_process';
+
+/**
+ * Retrieves a list of package IDs that can be updated via winget
+ * @returns {string[]} Array of package IDs
+ * @throws {Error} If winget command fails or returns empty output
+ */
+export function getUpdateCandidateIds() {
+  const NAME_COL = 'Name';
+  const ID_COL = 'ID';
+  const VERSION_COL = 'Version';
+  const tableHeaderRegex = new RegExp(`.*${NAME_COL}\\s+${ID_COL}\\s+${VERSION_COL}.*`);
+
+  // Get winget upgrade list
+  const wgOutput = execWinget(['upgrade', '--include-unknown']);
+
+  if (!wgOutput || wgOutput.trim().length === 0) {
+    throw new Error('winget update command failed or returned empty output');
+  }
+
+  // Remove last 2 lines (summary info + newline)
+  const lines = wgOutput
+    .split('\n')
+    .slice(0, -2)
+    .map((line) => line.trim());
+
+  const outputLineCount = lines.length;
+  const tableHeaderIndex = lines.findIndex((line) => line.match(tableHeaderRegex) !== null);
+  if (tableHeaderIndex === -1) {
+    throw new Error('Could not find table header in winget output');
+  }
+  // Find column positions
+  const namePos = lines[tableHeaderIndex].indexOf(NAME_COL);
+  const idPos = lines[tableHeaderIndex].indexOf(ID_COL);
+  const versionPos = lines[tableHeaderIndex].indexOf(VERSION_COL);
+  if (namePos === -1 || idPos === -1 || versionPos === -1) {
+    throw new Error('Could not find expected column headers in winget output');
+  }
+
+  // Calculate column positions relative to start of each line
+  const packageIdStartPos = idPos - namePos;
+  const packageIdColLength = versionPos - idPos;
+
+  const packageListStartLineIndex = tableHeaderIndex + 2; // Skip header and separator line
+  const packageIds = [];
+
+  // Extract package IDs from each line
+  for (let i = packageListStartLineIndex; i < outputLineCount; i++) {
+    const line = lines[i];
+    if (!line || line.trim().length === 0) {
+      continue;
+    }
+
+    const packageId = line.substring(packageIdStartPos, packageIdStartPos + packageIdColLength).trim();
+
+    if (packageId) {
+      packageIds.push(packageId);
+    }
+  }
+
+  return packageIds;
+}
+
+/**
+ * Runs winget update commands for the provided package IDs
+ * @param {string[]} ids - Package IDs to update
+ * @returns {Promise<void>}
+ */
+export async function runUpdates(ids, errorHandler = async (_id, _err) => false) {
+  for (const id of ids) {
+    console.log(`Updating package: ${id}`);
+    // prettier-ignore
+    try {
+      execWinget([
+        'upgrade',
+        '-i',
+        '--id',
+        id,
+        '--accept-source-agreements',
+        '--accept-package-agreements'
+      ], { inheritStdio: true });
+      console.log(`Package ${id} updated successfully.`);
+    } catch (err) {
+      // eslint-disable-next-line no-await-in-loop
+      if (!(await errorHandler(id, err))) {
+        throw err;
+      }
+    }
+  }
+}
+
+/**
+ * Synchronously executes winget command and returns stdout
+ * @param {string[]} args - Command arguments
+ * @param {Object} options - Execution options
+ * @param {boolean} options.inheritStdio - Whether to inherit stdio
+ * @returns {string} Command stdout
+ * @throws {Error} If command fails
+ */
+function execWinget(args, { inheritStdio = false } = {}) {
+  const stdio = inheritStdio ? 'inherit' : 'pipe';
+  const child = spawnSync('winget', args, { shell: false, stdio, encoding: 'utf8' });
+
+  const stdout = child.stdout || '';
+  const stderr = child.stderr || '';
+
+  if (child.error) {
+    throw new Error(`Failed to execute winget: ${child.error.message}`);
+  }
+
+  if (child.status !== 0) {
+    throw new Error(`winget exited with code ${child.status}${stderr ? `: ${stderr}` : ''}`);
+  }
+
+  return stdout;
+}