fix(cli): prevent automatic updates from switching to less stable channels

[Adib234]

Summary

This PR fixes issue #24810, where users on the stable release channel were being automatically updated to nightly builds. This occurred because the latest tag on npm occasionally pointed to a semver-greater nightly version, and the CLI lacked a stability-aware filter for updates.

Details

• Refactored Release Channel Detection: Extracted channel analysis into a pure getChannelFromVersion function in packages/core/src/utils/channel.ts.
• Introduced Stability Ranking: Defined a stability order (STABLE > PREVIEW > NIGHTLY) to allow programmatic comparison of update safety.
• Enforced Stability Rule in checkForUpdates: The CLI now verifies that the target update version is at least as stable as the current version before offering it.
• Defense-in-Depth: Added a final stability check in handleAutoUpdate.ts before spawning the global install command to prevent accidental cross-channel updates at the execution phase.

Related Issues

Fixes #24810

How to Validate

1. Run the new and updated unit tests:

   npx vitest run packages/cli/src/ui/utils/updateCheck.test.ts packages/cli/src/utils/handleAutoUpdate.test.ts packages/core/src/utils/channel.test.ts

2. Manual verification:
   • Mock a stable environment (e.g. version: "0.35.0" in package.json).
   • Mock the npm registry to return a nightly version (e.g. "0.36.0-nightly.1") as the latest version.
   • Observe that no update notification is triggered.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt

[github-actions]

Size Change: +1.19 kB (0%)

Total Size: 33.9 MB

Filename	Size	Change
./bundle/chunk-274UFYH7.js	0 B	-673 kB (removed)	🏆
./bundle/chunk-6Z435VSG.js	0 B	-2.73 MB (removed)	🏆
./bundle/chunk-GQZOL7OK.js	0 B	-14.7 MB (removed)	🏆
./bundle/chunk-JPASJD7R.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-JWPOQF5O.js	0 B	-3.43 kB (removed)	🏆
./bundle/chunk-VYVKDWEN.js	0 B	-3.8 kB (removed)	🏆
./bundle/core-C4Y4HI5N.js	0 B	-48.1 kB (removed)	🏆
./bundle/devtoolsService-TB7LQGRQ.js	0 B	-27.8 kB (removed)	🏆
./bundle/gemini-BGSZAD7H.js	0 B	-575 kB (removed)	🏆
./bundle/interactiveCli-7ABZVIHI.js	0 B	-1.31 MB (removed)	🏆
./bundle/liteRtServerManager-H2PWSTUE.js	0 B	-2.08 kB (removed)	🏆
./bundle/oauth2-provider-YN7ZRSBO.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-5Q6ZW2NN.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/chunk-LZ4WUYJH.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-MJWJTRYG.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-V4CEAHI2.js	2.73 MB	+2.73 MB (new file)	🆕
./bundle/chunk-WVXV33PQ.js	14.7 MB	+14.7 MB (new file)	🆕
./bundle/chunk-YS5RDDTG.js	673 kB	+673 kB (new file)	🆕
./bundle/core-QG4PXDAD.js	48.2 kB	+48.2 kB (new file)	🆕
./bundle/devtoolsService-WJO6CLSY.js	27.8 kB	+27.8 kB (new file)	🆕
./bundle/gemini-OUPELBJW.js	575 kB	+575 kB (new file)	🆕
./bundle/interactiveCli-LLIFJWRP.js	1.31 MB	+1.31 MB (new file)	🆕
./bundle/liteRtServerManager-P4GMXARB.js	2.08 kB	+2.08 kB (new file)	🆕
./bundle/oauth2-provider-YGNMPUBB.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/chunk-XRLFHCHC.js	1.97 MB	0 B
./bundle/cleanup-XWH3EMBX.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	4.97 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-FN3IAPBT.js	980 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-TFPMOZAG.js	0 B	-622 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-JFBHDKXB.js	932 B	+932 B (new file)	🆕
./bundle/start-2ZOUYWZD.js	622 B	+622 B (new file)	🆕

_{compressed-size-action}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses an issue where the CLI's automatic update mechanism could inadvertently upgrade users on stable release channels to less stable nightly or preview builds. The changes introduce a robust stability-aware update process, ensuring that users only receive updates that are as stable as, or more stable than, their current installed version, thereby preventing unintended channel switching and maintaining expected release stability.

Highlights

• Refactored Release Channel Detection: Extracted channel analysis into a pure getChannelFromVersion function in packages/core/src/utils/channel.ts.
• Introduced Stability Ranking: Defined a stability order (STABLE > PREVIEW > NIGHTLY) to allow programmatic comparison of update safety.
• Enforced Stability Rule in checkForUpdates: The CLI now verifies that the target update version is at least as stable as the current version before offering it.
• Defense-in-Depth: Added a final stability check in handleAutoUpdate.ts before spawning the global install command to prevent accidental cross-channel updates at the execution phase.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request implements a stability-aware update system for the Gemini CLI, preventing users on stable channels from receiving nightly or preview updates. It introduces channel stability rankings and helper functions to determine the release channel from version strings. A critical implementation error was identified where the current version is not included in the update metadata, which would cause the stability check to default to the lowest level and potentially allow stable users to update to nightly versions.