feat: add version update feature#114
Conversation
- Auto detect new version and show on every command - Add update command to do self update
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 10166c5. Configure here.
| latest.bright_green().bold() | ||
| ); | ||
| log_print!(" Download it from {}", RELEASES_PAGE_URL.bright_cyan()); | ||
| } |
There was a problem hiding this comment.
Update notice mid-command output
Medium Severity
The background update task prints its banner as soon as notify_if_update_available finishes, including when a warm cache makes that almost instant. main only waits for the task afterward, so on slow commands the “new version available” lines can appear in the middle of normal command output instead of after it.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 10166c5. Configure here.
| if self_update::version::bump_is_greater(current, latest_version).unwrap_or(false) { | ||
| return Ok(UpdateOutcome::UpdateAvailable(latest_version.to_string())); | ||
| } | ||
| return Ok(UpdateOutcome::AlreadyLatest(current.to_string())); |
There was a problem hiding this comment.
Check-only uses wrong latest
Medium Severity
quantus update --check treats the first entry from ReleaseList::fetch() as “latest”, which can be a prerelease or any newest tag on the full releases list. Background checks and self_update’s install path follow GitHub’s /releases/latest (stable) semantics, so --check can report an upgrade that quantus update will not perform.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 10166c5. Configure here.
|
I've reviewed PR #114 thoroughly—pulled the full diff, checked the actual GitHub release asset names and archive layout, and cross-referenced the codebase conventions. Here's my review. SummaryThe PR adds two things: a Blocking / High value1. Background notice can print in the middle of command output (Bugbot #1 — valid)
The fix is to make the task return the data and let // version_check.rs
pub async fn check_for_update() -> Option<(String, String)> {
if std::env::var_os(DISABLE_ENV).is_some() { return None; }
let current = env!("CARGO_PKG_VERSION");
let latest = latest_version().await?;
is_newer(current, &latest).then(|| (current.to_string(), latest))
}Then 2. In 3. DRY violation — two implementations of "fetch latest + compare versions" This is the root cause that makes #2 possible, and it's worth calling out given the repo's strict DRY rule. Medium4. Silent failures conflict with the project's "fail early / always log" rule
5. Latency regression on fast commands with a cold cache
Minor / nits
Things that are correct (verified)
Net: the feature is well-built and close, but I'd want #1, #2, and the #3 consolidation addressed before merge (the first two are confirmed bugs, and fixing #3 resolves #2 cleanly). #4 and #5 are quick follow-ups in line with the repo's conventions. Want me to implement these fixes on the branch? |
n13
left a comment
There was a problem hiding this comment.
Re-review (commits 963aa91 → 6891a90)
Verdict: ✅ Approve
Every issue from the previous review has been addressed, and CI is fully green (Build & Test on macOS + Ubuntu, Clippy, Format, Examples, CodeQL).
Resolved
- Notice mid-command output — fixed.
notify_if_update_availableis now a synchronous, cache-only read; the backgroundrefresh_cache_in_backgroundonly warms the cache; and the notice is printed fromfinish_update_checkafter command output, so it can no longer race into the middle. update --checkwrong "latest" — fixed. Check-only now callslatest_stable_version(), which uses the same/releases/latestresolution as the install path, so a reported upgrade is always onequantus updatecan actually install.- DRY — fixed.
configure_updater()/latest_stable_version()incli::updateare now the single source of truth;version_checkdelegates fetch + comparison toself_update(bump_is_greater). The hand-rolledreqwestfetch and customparse_version/is_newer/normalizeare gone. - Silent failures — fixed. Cache read/parse/write and refresh errors are surfaced via
log_verbose!(withNotFoundcorrectly treated as expected), in line with the fail-early / always-log convention. - Latency — improved. The network fetch no longer blocks command execution; it runs concurrently, the end-of-command wait is bounded by
REFRESH_GRACE(3s), and it's a no-op when the cache is fresh.
The earlier nits (unnecessary clone, stale is_newer comment) are also gone.
Minor / non-blocking (optional follow-ups)
- Doc vs behavior mismatch: the module docs say "The first run with a cold cache shows nothing; a later run (once the cache is warm) shows the notice," but
finish_update_checkawaits the refresh before notifying, so on a cold/stale cache it can show on the same run — and a fast command likequantus versioncan wait up to ~3s at the end while the refresh completes. Either drop the await (show strictly on the next run, matching the docs and giving zero added latency) or tweak the comment to match the current "show on same run when possible" behavior. - Possible duplicate HTTP stack:
self_updatestill appears to pullureq/ureq-proto/socks/cookie_storeinto the lockfile despite thereqwestfeature. A quickcargo tree -i ureqwould confirm whether a second HTTP client is actually compiled; otherwise the "no duplicate deps" rationale inCargo.tomldoesn't fully hold.
Nice work — good to merge once you're happy with the optional notes.


Note
Medium Risk
Self-update downloads and overwrites the running binary from GitHub, which is a supply-chain and permissions-sensitive path even though it does not touch wallet or chain auth logic.
Overview
Adds in-place CLI updates from GitHub releases and a non-blocking “new version available” notice on normal commands.
quantus updatedownloads the platform archive fromQuantus-Network/quantus-cli, extractsquantus-cli-v{version}-{target}/quantus, and replaces the running binary viaself_update(blocking work onspawn_blocking). Flags:--check,--yes, and--versionfor a specific tag. Permission errors get a hint to usesudo.Background check (
version_check): queries GitHub’s latest release (or reads~/.quantus/update_check.jsonwith a 4-hour TTL), compares semver-ish versions, and prints a notice after the command finishes (up to a 3s wait). Skipped forquantus updateand whenQUANTUS_NO_UPDATE_CHECKis set.Deps:
self_update0.43 (aligned with existingreqwest0.12 /indicatif0.18); README documents the update flow.Reviewed by Cursor Bugbot for commit 10166c5. Configure here.