Open
Conversation
Also, fish bit was the only one that didn't print a newline to $CONF_FILE, now they're all the same.
Change $CONF_FILE append strings to check whether $INSTALL_DIR exists before doing any setup. This way whenever a user syncs their shell config across machines, the machines without fnm installed won't throw errors.
Bumps the cargo group with 4 updates in the / directory: [hashbrown](https://github.com/rust-lang/hashbrown), [ring](https://github.com/briansmith/ring), [rustls](https://github.com/rustls/rustls) and [tokio](https://github.com/tokio-rs/tokio). Updates `hashbrown` from 0.15.0 to 0.15.3 - [Release notes](https://github.com/rust-lang/hashbrown/releases) - [Changelog](https://github.com/rust-lang/hashbrown/blob/master/CHANGELOG.md) - [Commits](rust-lang/hashbrown@v0.15.0...v0.15.3) Updates `ring` from 0.17.8 to 0.17.14 - [Changelog](https://github.com/briansmith/ring/blob/main/RELEASES.md) - [Commits](https://github.com/briansmith/ring/commits) Updates `rustls` from 0.23.16 to 0.23.23 - [Release notes](https://github.com/rustls/rustls/releases) - [Changelog](https://github.com/rustls/rustls/blob/main/CHANGELOG.md) - [Commits](rustls/rustls@v/0.23.16...v/0.23.23) Updates `tokio` from 1.41.0 to 1.42.1 - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](tokio-rs/tokio@tokio-1.41.0...tokio-1.42.1) --- updated-dependencies: - dependency-name: hashbrown dependency-version: 0.15.3 dependency-type: indirect dependency-group: cargo - dependency-name: ring dependency-version: 0.17.14 dependency-type: indirect dependency-group: cargo - dependency-name: rustls dependency-version: 0.23.23 dependency-type: indirect dependency-group: cargo - dependency-name: tokio dependency-version: 1.42.1 dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] <[email protected]>
…dates Bumps the npm_and_yarn group with 2 updates in the / directory: [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) and [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime). Updates `@babel/helpers` from 7.26.0 to 7.27.4 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.27.4/packages/babel-helpers) Updates `@babel/runtime` from 7.26.0 to 7.27.4 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.27.4/packages/babel-runtime) --- updated-dependencies: - dependency-name: "@babel/helpers" dependency-version: 7.27.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@babel/runtime" dependency-version: 7.27.4 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: AU_gdev_19 <[email protected]>
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: AU_gdev_19 <[email protected]>
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116 Co-authored-by: snyk-bot <[email protected]>
Bumps the npm_and_yarn group with 1 update in the / directory: [brace-expansion](https://github.com/juliangruber/brace-expansion). Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]>
Snyk has created this PR to upgrade zod from 3.25.76 to 4.0.0. See this package in npm: zod See this project in Snyk: https://app.snyk.io/org/dargon789/project/d81b0d0c-fd3c-4e68-ba3e-6a804eb0d25e?utm_source=github&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-bot <[email protected]>
Snyk has created this PR to upgrade @types/jest from 29.5.14 to 30.0.0. See this package in npm: @types/jest See this project in Snyk: https://app.snyk.io/org/dargon789/project/d81b0d0c-fd3c-4e68-ba3e-6a804eb0d25e?utm_source=github&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-bot <[email protected]>
Snyk has created this PR to upgrade prettier from 3.5.1 to 3.5.3. See this package in npm: prettier See this project in Snyk: https://app.snyk.io/org/dargon789/project/ad4c7706-9351-484f-a545-90686691e99c?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-io[bot] <141718529+snyk-io[bot]@users.noreply.github.com>
Snyk has created this PR to upgrade cross-env from 7.0.3 to 10.0.0. See this package in npm: cross-env See this project in Snyk: https://app.snyk.io/org/dargon789/project/ad4c7706-9351-484f-a545-90686691e99c?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-io[bot] <141718529+snyk-io[bot]@users.noreply.github.com>
Snyk has created this PR to upgrade prettier from 3.5.3 to 3.6.2. See this package in npm: prettier See this project in Snyk: https://app.snyk.io/org/dargon789/project/ad4c7706-9351-484f-a545-90686691e99c?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-io[bot] <141718529+snyk-io[bot]@users.noreply.github.com>
Snyk has created this PR to upgrade @types/node from 18.19.123 to 24.1.0. See this package in npm: @types/node See this project in Snyk: https://app.snyk.io/org/dargon789/project/ad4c7706-9351-484f-a545-90686691e99c?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-io[bot] <141718529+snyk-io[bot]@users.noreply.github.com>
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TMP-11501554 Co-authored-by: snyk-io[bot] <141718529+snyk-io[bot]@users.noreply.github.com>
* Create label.yml Signed-off-by: AU_gdev_19 <[email protected]> * Potential fix for code scanning alert no. 30: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: AU_gdev_19 <[email protected]> --------- Signed-off-by: AU_gdev_19 <[email protected]> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <[email protected]>
…go group across 1 directory (#42) * chore(deps): bump tracing-subscriber Bumps the cargo group with 1 update in the / directory: [tracing-subscriber](https://github.com/tokio-rs/tracing). Updates `tracing-subscriber` from 0.3.18 to 0.3.20 - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](tokio-rs/tracing@tracing-subscriber-0.3.18...tracing-subscriber-0.3.20) --- updated-dependencies: - dependency-name: tracing-subscriber dependency-version: 0.3.20 dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] <[email protected]> * Update rust.yml (#43) Signed-off-by: AU_gdev_19 <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: AU_gdev_19 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: AU_gdev_19 <[email protected]>
* fix: upgrade @changesets/cli from 2.29.6 to 2.29.7 Snyk has created this PR to upgrade @changesets/cli from 2.29.6 to 2.29.7. See this package in npm: @changesets/cli See this project in Snyk: https://app.snyk.io/org/dargon789/project/d81b0d0c-fd3c-4e68-ba3e-6a804eb0d25e?utm_source=github&utm_medium=referral&page=upgrade-pr * Update package.json Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <[email protected]> --------- Signed-off-by: Dargon789 <[email protected]> Co-authored-by: snyk-bot <[email protected]> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- There are a lot of local/build artifacts and IDE-specific files checked in (e.g.
target-wsl/**,*.d,.rustc_info.json,test-hooks/hooks/*), which should be removed from the repo and ignored via.gitignoreto avoid noise and conflicts. - Several new CI/workflow files appear to be copied from unrelated projects and reference other repositories or domains (e.g.
.github/workflows/npm.ymlwithfoundry/forge,google.yml,docker.yml, multiple CircleCI configs); it would be good to either adapt these to fnm explicitly or drop them to keep the automation surface minimal and relevant. - The change to
package.json/Cargo.tomlmetadata (author, repository, changelog repo, CNAME, SECURITY.md links) points to your fork rather than the upstreamSchniz/fnm; if this is intended for upstream, those fields should stay pointing at the canonical project.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- There are a lot of local/build artifacts and IDE-specific files checked in (e.g. `target-wsl/**`, `*.d`, `.rustc_info.json`, `test-hooks/hooks/*`), which should be removed from the repo and ignored via `.gitignore` to avoid noise and conflicts.
- Several new CI/workflow files appear to be copied from unrelated projects and reference other repositories or domains (e.g. `.github/workflows/npm.yml` with `foundry`/`forge`, `google.yml`, `docker.yml`, multiple CircleCI configs); it would be good to either adapt these to fnm explicitly or drop them to keep the automation surface minimal and relevant.
- The change to `package.json`/`Cargo.toml` metadata (author, repository, changelog repo, CNAME, SECURITY.md links) points to your fork rather than the upstream `Schniz/fnm`; if this is intended for upstream, those fields should stay pointing at the canonical project.
## Individual Comments
### Comment 1
<location path="tests/proxy-server/index.mjs" line_range="25-31" />
<code_context>
* @param {string} opts.filename
*/
const download = async ({ pathname, filename, headersFilename }) => {
+ const allowedPaths = [
+ "/v18.17.0/node-v18.17.0-linux-x64.tar.gz",
+ "/v18.17.0/node-v18.17.0-win-x64.zip",
+ "/v18.17.0/node-v18.17.0-darwin-x64.tar.gz",
+ ];
+
+ if (!allowedPaths.includes(pathname)) {
+ throw new Error(`Invalid pathname: ${pathname}`);
+ }
</code_context>
<issue_to_address>
**suggestion (testing):** No tests cover the new `allowedPaths` validation for proxy downloads
The new `allowedPaths` check isn’t exercised by tests. Please add coverage around `download` (or its callers) to assert that:
- a supported path still succeeds, and
- an unsupported path throws the expected `Invalid pathname` error.
This will document the allowlist behavior and catch regressions if new paths are added without updating it.
Suggested implementation:
```javascript
export const download = async ({ pathname, filename, headersFilename }) => {
```
To complete the test coverage you requested, you’ll also need to:
1. Add a new test file (for example `tests/proxy-server/download.test.mjs` or follow the existing naming convention in this repo).
2. In that test file, import `download` from `tests/proxy-server/index.mjs`.
3. Add a test that:
- Calls `await download({ pathname: "/v18.17.0/node-v18.17.0-linux-x64.tar.gz", filename: "...", headersFilename: "..." })` (using appropriate temp file paths/mocks consistent with existing tests).
- Asserts that it completes without throwing and that any expected side effects (like files written, headers written, or HTTP calls) match the existing behavior.
4. Add a test that:
- Calls `download({ pathname: "/v18.17.0/node-v18.17.0-linux-arm64.tar.gz", filename: "...", headersFilename: "..." })` (or any unsupported path).
- Asserts that it rejects/throws with an `Error` whose message contains `Invalid pathname: /v18.17.0/node-v18.17.0-linux-arm64.tar.gz`.
5. Use the same test framework and assertion style that existing tests in `tests/proxy-server` use (e.g., `node:test`, `tap`, `mocha`, etc.), including any mocking strategy for `fetch` that this repo already employs.
These additional tests will directly exercise the new `allowedPaths` validation and ensure that both allowed and disallowed paths behave as intended.
</issue_to_address>
### Comment 2
<location path=".github/ISSUE_TEMPLATE/bug_report.md" line_range="34-35" />
<code_context>
+**Smartphone (please complete the following information):**
+ - Device: [e.g. iPhone6]
+ - OS: [e.g. iOS8.1]
+ - Browser [e.g. stock browser, Safari]
+ - Browser [e.g. stock browser, safari]
+ - Version [e.g. 22]
+
</code_context>
<issue_to_address>
**issue:** The smartphone section has two nearly identical 'Browser' fields, which is likely a duplicate.
The two `Browser` lines differ only by example capitalization (`Safari` vs `safari`) and appear to be a copy-paste duplicate. Please remove one or rename it if a distinct field was intended.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Code Review
This pull request introduces a Git-style hooks system to fnm for custom script execution during installation, alongside dependency updates and new CI configurations. Feedback identifies that local build artifacts were accidentally committed and the new test proxy whitelist is too restrictive. Additionally, several dependency versions are invalid or mismatched with the lockfile. Technical improvements are suggested for the hooks implementation, specifically using command.status() for efficiency and refining the Windows executable check to properly handle file extensions and PowerShell scripts.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <[email protected]>
This was
linked to
issues
Apr 5, 2026
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by Sourcery
Add a hook system around Node.js installation, expand installation/documentation options, and modernize tooling, CI, and metadata for a forked fnm distribution.
New Features:
Enhancements:
CI:
Documentation:
Tests:
Chores: