You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Fetch manifest from CDN on every invocation, download and replace
binary if a newer version exists
- Verify SHA256 checksum before replacing, extract from tar.gz or zip
- Skip update in dev builds, CI environments, or when auto_update is
false in config.toml
- Run update check in background goroutine, print notice to stderr
after command completes
- Add AutoUpdate *bool field to CLIConfig for opt-out
- Phase 1 (CheckForUpdate) fetches manifest and writes state file if newer version exists, with a short 3s timeout to avoid slowing down CLI startup
- Phase 2 (ApplyUpdate) reads state file on next run and applies the update with a 30s timeout
- Removes background goroutine and channel-based approach in favor of synchronous two-phase model
- State file (update.json) is cleared before applying so broken updates don't retry forever
- Adds UpdateState struct and read/write/clear helpers for on-disk persistence
- Adds tests for state file lifecycle, version comparison, download + checksum verification, and no-op when state file is absent
- Extract hardcoded cli.deepsource.com URL into buildinfo.BaseURL so dev builds can point to cli.deepsource.one
- Only skip auto-update for local dev builds (version == "development"), not all dev-mode builds
- Update tests to reflect the new behavior
- Strip pre-release/build suffix (e.g. "44-e888cf0f" → "44") before parsing patch version
- Fixes strconv.Atoi failure when version contains a commit hash
We reviewed changes in fccfbea...d7d18bc on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.
The reason will be displayed to describe this comment to others. Learn more.
Ignored `os.UserHomeDir()` error can lead to insecure file creation
The error returned by os.UserHomeDir() is ignored. If this function fails, for example in a restricted environment where the home directory isn't available, home will be an empty string. This causes the update state file to be written to a relative path (.deepsource/update.json), potentially in the current working directory.
If the command is run from a world-writable directory like /tmp, an attacker could pre-create a malicious .deepsource/update.json file to control the update process, leading to arbitrary code execution. The error should be checked and handled to ensure the state file is always written to a secure, expected location.
The reason will be displayed to describe this comment to others. Learn more.
`TestReplaceBinary` re-implements logic instead of calling the `replaceBinary` function
This block re-implements the logic for replacing a binary file, but the test never calls the production replaceBinary function it is meant to test. This provides a false sense of test coverage.
Refactor the test to call the actual replaceBinary function. This may require making replaceBinary more testable, such as by having it accept the target binary path as a parameter.
The reason will be displayed to describe this comment to others. Learn more.
Custom semantic version parsing is incomplete and mishandles pre-release or build metadata
The custom implementation for parsing semantic versions in parseSemver is not fully compliant with the SemVer 2.0.0 standard. It incorrectly handles pre-release version precedence and will fail to parse versions containing build metadata (e.g., 1.2.3+456), causing update checks to fail or behave unexpectedly.
Using a battle-tested library is strongly recommended. Replace this custom logic with a standard library like golang.org/x/mod/semver to ensure correct and robust version parsing and comparison.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![deepsource-io[bot]](https://avatars.githubusercontent.com/in/16372?s=60&v=4){kind=small}
No description provided.