refactor(updates): fetch version from registry instead of npm CLI to support multiple managers (#446)

## Background  
Addressing feedback from
https://github.com/openai/codex/pull/333#discussion_r2050893224, this PR
adds support for Bun alongside npm, pnpm while keeping the code simple.

## Summary  
The update‑check flow is refactored to use a direct registry lookup
(`fast-npm-meta` + `semver`) instead of shelling out to `npm outdated`,
and adds a lightweight installer‑detection mechanism that:

1. Checks if the invoked script lives under a known global‑bin directory
(npm, pnpm, or bun)
2. If not, falls back to local detection via `getUserAgent()` (the
`package‑manager‑detector` library)

## What’s Changed  
- **Registry‑based version check**  
- Replace `execFile("npm", ["outdated"])` with `getLatestVersion()` and
`semver.gt()`
- **Multi‑manager support**  
- New `renderUpdateCommand` handles update commands for `npm`, `pnpm`,
and `bun`.
  - Detect global installer first via `detectInstallerByPath()`  
  - Fallback to local detection via `getUserAgent()`  
- **Module cleanup**  
- Extract `detectInstallerByPath` into
`utils/package-manager-detector.ts`
- Remove legacy `checkOutdated`, `getNPMCommandPath`, and child‑process
JSON parsing
- **Flow improvements in `checkForUpdates`**  
  1. Short‑circuit by `UPDATE_CHECK_FREQUENCY`  
  3. Fetch & compare versions  
  4. Persist new timestamp immediately  
  5. Render & display styled box only when an update exists  
- **Maintain simplicity**
- All multi‑manager logic lives in one small helper and a concise lookup
rather than a complex adapter hierarchy
- Core `checkForUpdates` remains a single, easy‑to‑follow async function
- **Dependencies added**  
- `fast-npm-meta`, `semver`, `package-manager-detector`, `@types/semver`

## Considerations
If we decide to drop the interactive update‑message (`npm install -g
@openai/codex`) rendering altogether, we could remove most of the
installer‑detection code and dependencies, which would simplify the
codebase further but result in a less friendly UX.

## Preview

* npm

![refactor-update-check-flow-npm](https://github.com/user-attachments/assets/57320114-3fb6-4985-8780-3388a1d1ec85)

* bun

![refactor-update-check-flow-bun](https://github.com/user-attachments/assets/d93bf0ae-a687-412a-ab92-581b4f967307)

## Simple Flow Chart

```mermaid
flowchart TD
  A(Start) --> B[Read state]
  B --> C{Recent check?}
  C -- Yes --> Z[End]
  C -- No --> D[Fetch latest version]
  D --> E[Save check time]
  E --> F{Version data OK?}
  F -- No --> Z
  F -- Yes --> G{Update available?}
  G -- No --> Z
  G -- Yes --> H{Global install?}
  H -- Yes --> I[Select global manager]
  H -- No --> K{Local install?}
  K -- No --> Z
  K -- Yes --> L[Select local manager]
  I & L --> M[Render update message]
  M --> N[Format with boxen]
  N --> O[Print update]
  O --> Z
```

codex-cli/src/utils/check-updates.ts

@@ -1,87 +1,81 @@
-import { CONFIG_DIR } from "./config";
+import type { AgentName } from "package-manager-detector";
+
+import { detectInstallerByPath } from "./package-manager-detector";
+import { CLI_VERSION } from "./session";
 import boxen from "boxen";
 import chalk from "chalk";
-import * as cp from "node:child_process";
+import { getLatestVersion } from "fast-npm-meta";
 import { readFile, writeFile } from "node:fs/promises";
 import { join } from "node:path";
-import which from "which";
+import { getUserAgent } from "package-manager-detector";
+import semver from "semver";
 
 interface UpdateCheckState {
   lastUpdateCheck?: string;
 }
 
-interface PackageInfo {
-  current: string;
-  wanted: string;
-  latest: string;
-  dependent: string;
-  location: string;
-}
-
 interface UpdateCheckInfo {
   currentVersion: string;
   latestVersion: string;
 }
 
-const UPDATE_CHECK_FREQUENCY = 1000 * 60 * 60 * 24; // 1 day
-
-export async function getNPMCommandPath(): Promise<string | undefined> {
-  try {
-    return await which(process.platform === "win32" ? "npm.cmd" : "npm");
-  } catch {
-    return undefined;
-  }
+export interface UpdateOptions {
+  manager: AgentName;
+  packageName: string;
 }
 
-export async function checkOutdated(
-  npmCommandPath: string,
-): Promise<UpdateCheckInfo | undefined> {
-  return new Promise((resolve, _reject) => {
-    // TODO: support local installation
-    // Right now we're using "--global", which only checks global packages.
-    // But codex might be installed locally — we should check the local version first,
-    // and only fall back to the global one if needed.
-    const args = ["outdated", "--global", "--json", "--", "@openai/codex"];
-    // corepack npm wrapper would automatically update package.json. disable that behavior.
-    // COREPACK_ENABLE_AUTO_PIN disables the package.json overwrite, and
-    // COREPACK_ENABLE_PROJECT_SPEC makes the npm view command succeed
-    //   even if packageManager specified a package manager other than npm.
-    const env = {
-      ...process.env,
-      COREPACK_ENABLE_AUTO_PIN: "0",
-      COREPACK_ENABLE_PROJECT_SPEC: "0",
-    };
-    let options: cp.ExecFileOptions = { env };
-    let commandPath = npmCommandPath;
-    if (process.platform === "win32") {
-      options = { ...options, shell: true };
-      commandPath = `"${npmCommandPath}"`;
-    }
-    cp.execFile(commandPath, args, options, async (_error, stdout) => {
-      try {
-        const { name: packageName } = await import("../../package.json");
-        const content: Record<string, PackageInfo> = JSON.parse(stdout);
-        if (!content[packageName]) {
-          // package not installed or not outdated
-          resolve(undefined);
-          return;
-        }
+const UPDATE_CHECK_FREQUENCY = 1000 * 60 * 60 * 24; // 1 day
 
-        const currentVersion = content[packageName].current;
-        const latestVersion = content[packageName].latest;
+export function renderUpdateCommand({
+  manager,
+  packageName,
+}: UpdateOptions): string {
+  const updateCommands: Record<AgentName, string> = {
+    npm: `npm install -g ${packageName}`,
+    pnpm: `pnpm add -g ${packageName}`,
+    bun: `bun add -g ${packageName}`,
+    /** Only works in yarn@v1 */
+    yarn: `yarn global add ${packageName}`,
+    deno: `deno install -g npm:${packageName}`,
+  };
 
-        resolve({ currentVersion, latestVersion });
-        return;
-      } catch {
-        // ignore
-      }
-      resolve(undefined);
-    });
+  return updateCommands[manager];
+}
+
+function renderUpdateMessage(options: UpdateOptions) {
+  const updateCommand = renderUpdateCommand(options);
+  return `To update, run ${chalk.magenta(updateCommand)} to update.`;
+}
+
+async function writeState(stateFilePath: string, state: UpdateCheckState) {
+  await writeFile(stateFilePath, JSON.stringify(state, null, 2), {
+    encoding: "utf8",
   });
 }
 
+async function getUpdateCheckInfo(
+  packageName: string,
+): Promise<UpdateCheckInfo | undefined> {
+  const metadata = await getLatestVersion(packageName, {
+    force: true,
+    throw: false,
+  });
+
+  if ("error" in metadata || !metadata?.version) {
+    return;
+  }
+
+  return {
+    currentVersion: CLI_VERSION,
+    latestVersion: metadata.version,
+  };
+}
+
 export async function checkForUpdates(): Promise<void> {
+  const { CONFIG_DIR } = await import("./config");
   const stateFile = join(CONFIG_DIR, "update-check.json");
+
+  // Load previous check timestamp
   let state: UpdateCheckState | undefined;
   try {
     state = JSON.parse(await readFile(stateFile, "utf8"));
@@ -89,6 +83,7 @@ export async function checkForUpdates(): Promise<void> {
     // ignore
   }
 
+  // Bail out if we checked less than the configured frequency ago
   if (
     state?.lastUpdateCheck &&
     Date.now() - new Date(state.lastUpdateCheck).valueOf() <
@@ -97,25 +92,39 @@ export async function checkForUpdates(): Promise<void> {
     return;
   }
 
-  const npmCommandPath = await getNPMCommandPath();
-  if (!npmCommandPath) {
-    return;
-  }
-
-  const packageInfo = await checkOutdated(npmCommandPath);
+  // Fetch current vs latest from the registry
+  const { name: packageName } = await import("../../package.json");
+  const packageInfo = await getUpdateCheckInfo(packageName);
 
   await writeState(stateFile, {
     ...state,
     lastUpdateCheck: new Date().toUTCString(),
   });
 
-  if (!packageInfo) {
+  if (
+    !packageInfo ||
+    !semver.gt(packageInfo.latestVersion, packageInfo.currentVersion)
+  ) {
     return;
   }
 
-  const updateMessage = `To update, run: ${chalk.cyan(
-    "npm install -g @openai/codex",
-  )} to update.`;
+  // Detect global installer
+  let managerName = await detectInstallerByPath();
+
+  // Fallback to the local package manager
+  if (!managerName) {
+    const local = getUserAgent();
+    if (!local) {
+      // No package managers found, skip it.
+      return;
+    }
+    managerName = local;
+  }
+
+  const updateMessage = renderUpdateMessage({
+    manager: managerName,
+    packageName,
+  });
 
   const box = boxen(
     `\
@@ -135,9 +144,3 @@ ${updateMessage}`,
   // eslint-disable-next-line no-console
   console.log(box);
 }
-
-async function writeState(stateFilePath: string, state: UpdateCheckState) {
-  await writeFile(stateFilePath, JSON.stringify(state, null, 2), {
-    encoding: "utf8",
-  });
-}

codex-cli/src/utils/package-manager-detector.ts

@@ -0,0 +1,73 @@
+import type { AgentName } from "package-manager-detector";
+
+import { execFileSync } from "node:child_process";
+import { join, resolve } from "node:path";
+import which from "which";
+
+function isInstalled(manager: AgentName): boolean {
+  try {
+    which.sync(manager);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function getGlobalBinDir(manager: AgentName): string | undefined {
+  if (!isInstalled(manager)) {
+    return;
+  }
+
+  try {
+    switch (manager) {
+      case "npm": {
+        const stdout = execFileSync("npm", ["prefix", "-g"], {
+          encoding: "utf-8",
+        });
+        return join(stdout.trim(), "bin");
+      }
+
+      case "pnpm": {
+        // pnpm bin -g prints the bin dir
+        const stdout = execFileSync("pnpm", ["bin", "-g"], {
+          encoding: "utf-8",
+        });
+        return stdout.trim();
+      }
+
+      case "bun": {
+        // bun pm bin -g prints your bun global bin folder
+        const stdout = execFileSync("bun", ["pm", "bin", "-g"], {
+          encoding: "utf-8",
+        });
+        return stdout.trim();
+      }
+
+      default:
+        return undefined;
+    }
+  } catch {
+    // ignore
+  }
+
+  return undefined;
+}
+
+export async function detectInstallerByPath(): Promise<AgentName | undefined> {
+  // e.g. /usr/local/bin/codex
+  const invoked = process.argv[1] && resolve(process.argv[1]);
+  if (!invoked) {
+    return;
+  }
+
+  const supportedManagers: Array<AgentName> = ["npm", "pnpm", "bun"];
+
+  for (const mgr of supportedManagers) {
+    const binDir = getGlobalBinDir(mgr);
+    if (binDir && invoked.startsWith(binDir)) {
+      return mgr;
+    }
+  }
+
+  return undefined;
+}