Confusing minimumReleaseAge vs pi update behavior

[ashwch]

What do you want to change?

pi update should not silently stay on an older version when Pi was installed with pnpm v11.

Today the pnpm self-update command is:

pnpm install -g --ignore-scripts @earendil-works/pi-coding-agent

If the latest release is newer than pnpm’s minimumReleaseAge window, pnpm install -g installs the next older eligible version instead. Pi then says “Updated pi” even though it did not reach the latest version.

Why?

This is confusing and makes pi update feel broken.

In my case, pi update left Pi on 0.75.4 while Pi immediately showed “0.75.5 is available”. The user explicitly asked to update, so Pi should either:

• install the actual latest version, or
• clearly explain why it refused.

How?

For pnpm install -g installs, append --config.minimumReleaseAge=0 to the self-update command so the explicit pi update action bypasses pnpm’s age gate for that one invocation only. And imo in this bypassing should be fine because this is not a random dependency update, user are explicitly asking to update this specific package.

Example:

pnpm install -g --ignore-scripts --config.minimumReleaseAge=0 @earendil-works/pi-coding-agent

I’ve reproduced this locally and can send a PR if this approach looks acceptable.

[github-actions]

This issue was auto-closed. All issues from new contributors are auto-closed by default.

Maintainers review auto-closed issues daily and reopen worthwhile ones. Issues that do not meet the quality bar in CONTRIBUTING.md will not be reopened or receive a reply.

If a maintainer replies lgtmi on one of your issues, your future issues will stay open. If a maintainer replies lgtm, your future issues and PRs will stay open.

See CONTRIBUTING.md.

[mitsuhiko]

Yes, this is something I ran into myself. I don't think disabling the minimum age though is the right approach because surely people set that for a reason. However the interactions with the updater and the minimum age setting are confusing because it advertises an update that would not yet be reachable.

[lyssom]

The updater advertises versions that pnpm refuses to install due to minimumReleaseAge (default 3 days). The fix checks npm registry publish times against pnpm's config before showing the update notification or running pi update.

Changes:

• version-check.ts: queries pnpm config get minimumReleaseAge and npm registry time field; skips versions that haven't aged past the threshold
• package-manager-cli.ts: getSelfUpdatePlan() applies the same check so pi update doesn't silently install an older version and report "Updated"
• version-check.test.ts: 5 new tests covering non-pnpm, pnpm-aged, pnpm-too-new, and end-to-end checkForNewPiVersion scenarios

Non-pnpm installs are unaffected. All 599 tests pass, npm run check passes. Ready to PR once approved.

[ashwch]

@mitsuhiko Perhaps we can match the behaviour of pnpm self-update:
https://github.com/pnpm/pnpm/blob/main/engine/pm/commands/CHANGELOG.md#110116 i.e. resolving the newest Pi version eligible under pnpm's policy.

That would mean either displaying the new release available message only when the release is actually eligible to be installed as per user set preferences, or saying that a new update is available but due to minimumReleaseAge it cannot be installed yet.

For security related Pi releases for something major, I think it would be better to say something like:

Security update 0.75.6 is available, but pnpm minimumReleaseAge is delaying it. To install this specific fix now, add @earendil-works/pi-coding-agent@0.75.6 to minimumReleaseAgeExclude.

This would respect minimumReleaseAge, but makes the update DX less confusing. Not sure if there is way to identify security releases in Pi differently though.

Wdyt?

[mitsuhiko]

I agree that the current behavior is not good. In part one thing we need to be careful here is that there are 4 ways to install pi today: npm, pnpm, bun and release installs from GitHub. The update check assumes they all roll out simultaneously. The first three all support some form of minimum release age, none of which should apply to a pi installation in case we shrinkwrap correctly.

So I think what we should probably do is the following:

• extensions honor minimum age
• npm/pnpm/bun opt out of min age checks after we validate that shrinkwraps are properly enforced

(And then we also make updates work with github releases which are currently broken and fall back to bun)

[ashwch]

@mitsuhiko Good point, didn't think of the extensions update part.

Happy to take this one up if that's okay and share some possible solutions.

[mitsuhiko]

Implemented the self-update side only.

pi update still lets the package manager resolve latest, but self-update commands now opt out of minimum release age gates for that explicit invocation:

• npm: --min-release-age=0
• pnpm: --config.minimumReleaseAge=0
• Bun: --minimum-release-age=0

Extension installs and updates are unchanged and continue to use the configured package manager behavior.

This comment is AI-generated by /wr