Note the high-level motivation behind this change is to avoid the need
to make temporary changes in the source tree in order to cut a release
build since that runs the risk of leaving things in an inconsistent
state in the event of a failure. The existing code:
```
import pkg from "../../package.json" assert { type: "json" };
```
did not work as intended because, as written, ESBuild would bake the
contents of the local `package.json` into the release build at build
time whereas we want it to read the contents at runtime so we can use
the `package.json` in the tree to build the code and later inject a
modified version into the release package with a timestamped build
version.
Changes:
* move `CLI_VERSION` out of `src/utils/session.ts` and into
`src/version.ts` so `../package.json` is a correct relative path both
from `src/version.ts` in the source tree and also in the final
`dist/cli.js` build output
* change `assert` to `with` in `import pkg` as apparently `with` became
standard in Node 22
* mark `"../package.json"` as external in `build.mjs` so the version is
not baked into the `.js` at build time
After using `pnpm stage-release` to build a release version, if I use
Node 22.0 to run Codex, I see the following printed to stderr at
startup:
```
(node:71308) ExperimentalWarning: Importing JSON modules is an experimental feature and might change at any time
(Use `node --trace-warnings ...` to show where the warning was created)
```
Note it is a warning and does not prevent Codex from running.
In Node 22.12, the warning goes away, but the warning still appears in
Node 22.11. For Node 22, 22.15.0 is the current LTS version, so LTS
users will not see this.
Also, something about moving the definition of `CLI_VERSION` caused a
problem with the mocks in `check-updates.test.ts`. I asked Codex to fix
it, and it came up with the change to the test configs. I don't know
enough about vitest to understand what it did, but the tests seem
healthy again, so I'm going with it.
## Background
Addressing feedback from
https://github.com/openai/codex/pull/333#discussion_r2050893224, this PR
adds support for Bun alongside npm, pnpm while keeping the code simple.
## Summary
The update‑check flow is refactored to use a direct registry lookup
(`fast-npm-meta` + `semver`) instead of shelling out to `npm outdated`,
and adds a lightweight installer‑detection mechanism that:
1. Checks if the invoked script lives under a known global‑bin directory
(npm, pnpm, or bun)
2. If not, falls back to local detection via `getUserAgent()` (the
`package‑manager‑detector` library)
## What’s Changed
- **Registry‑based version check**
- Replace `execFile("npm", ["outdated"])` with `getLatestVersion()` and
`semver.gt()`
- **Multi‑manager support**
- New `renderUpdateCommand` handles update commands for `npm`, `pnpm`,
and `bun`.
- Detect global installer first via `detectInstallerByPath()`
- Fallback to local detection via `getUserAgent()`
- **Module cleanup**
- Extract `detectInstallerByPath` into
`utils/package-manager-detector.ts`
- Remove legacy `checkOutdated`, `getNPMCommandPath`, and child‑process
JSON parsing
- **Flow improvements in `checkForUpdates`**
1. Short‑circuit by `UPDATE_CHECK_FREQUENCY`
3. Fetch & compare versions
4. Persist new timestamp immediately
5. Render & display styled box only when an update exists
- **Maintain simplicity**
- All multi‑manager logic lives in one small helper and a concise lookup
rather than a complex adapter hierarchy
- Core `checkForUpdates` remains a single, easy‑to‑follow async function
- **Dependencies added**
- `fast-npm-meta`, `semver`, `package-manager-detector`, `@types/semver`
## Considerations
If we decide to drop the interactive update‑message (`npm install -g
@openai/codex`) rendering altogether, we could remove most of the
installer‑detection code and dependencies, which would simplify the
codebase further but result in a less friendly UX.
## Preview
* npm
* bun
## Simple Flow Chart
```mermaid
flowchart TD
A(Start) --> B[Read state]
B --> C{Recent check?}
C -- Yes --> Z[End]
C -- No --> D[Fetch latest version]
D --> E[Save check time]
E --> F{Version data OK?}
F -- No --> Z
F -- Yes --> G{Update available?}
G -- No --> Z
G -- Yes --> H{Global install?}
H -- Yes --> I[Select global manager]
H -- No --> K{Local install?}
K -- No --> Z
K -- Yes --> L[Select local manager]
I & L --> M[Render update message]
M --> N[Format with boxen]
N --> O[Print update]
O --> Z
```
**Summary**
This change introduces a new startup check that notifies users if a
newer `@openai/codex` version is available. To avoid spamming, it writes
a small state file recording the last check time and will only re‑check
once every 24 hours.
**What’s Changed**
- **New file** `src/utils/check-updates.ts`
- Runs `npm outdated --global @openai/codex`
- Reads/writes `codex-state.json` under `CONFIG_DIR`
- Limits checks to once per day (`UPDATE_CHECK_FREQUENCY = 24h`)
- Uses `boxen` for a styled alert and `which` to locate the npm binary
- **Hooked into** `src/cli.tsx` entrypoint:
```ts
import { checkForUpdates } from "./utils/check-updates";
// …
// after loading config
await checkForUpdates().catch();
```
- **Dependencies**
- Added `boxen@^8.0.1`, `which@^5.0.0`, `@types/which@^3.0.4`
- **Tests**
- Vitest suite under `tests/check-updates.test.ts`
- Snapshot in `__snapshots__/check-updates.test.ts.snap`
**Motivation**
Addresses issue #244. Users running a stale global install will now see
a friendly reminder—at most once per day—to upgrade and enjoy the latest
features.
**Test Plan**
- `getNPMCommandPath()` resolves npm correctly
- `checkOutdated()` parses `npm outdated` JSON
- State file prevents repeat alerts within 24h
- Boxen snapshot matches expected output
- No console output when state indicates a recent check
**Related Issue**
try resolves#244
**Preview**
Prompt a pnpm‑style alert when outdated
Let me know if you’d tweak any of the messaging, throttle frequency,
placement in the startup flow, or anything else.
---------
Co-authored-by: Thibault Sottiaux <tibo@openai.com>
