Skip to content

Node.js CLI best-practices audit: vendor skill + non-breaking fixes#556

Open
Paveltarno wants to merge 9 commits into
mainfrom
claude/nodejs-cli-audit-9n251m
Open

Node.js CLI best-practices audit: vendor skill + non-breaking fixes#556
Paveltarno wants to merge 9 commits into
mainfrom
claude/nodejs-cli-audit-9n251m

Conversation

@Paveltarno

@Paveltarno Paveltarno commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Note

Description

This PR hardens the CLI's error-handling, telemetry, and startup behavior. It adds a pre-filled GitHub bug-report link plus the CLI version and error code to unexpected error output, redacts secret values from telemetry, shows a one-time telemetry notice with opt-out instructions, and fixes several robustness issues around unsupported Node.js versions, signal handling, shell usage, and stale asset cleanup.

Related Issue

None

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Other (please describe):

Changes Made

  • Bug report link: On unexpected (non-user) errors, the CLI now prints a GitHub new-issue URL pre-filled with the error message, code, CLI version, command, and environment details (`bug-report.ts`), in both themed and plain-text error output.
  • Version & error code in errors: Error output now includes `base44 v` and the error `Code:` (`theme.ts`, `render.ts`).
  • Telemetry redaction: `KEY=VALUE` positional args (e.g. `secrets set`) have their values redacted, and request/response bodies for `/secrets` endpoints are dropped before being attached to error reports (`redact.ts`, `commander-hooks.ts`, `error-reporter.ts`).
  • First-run telemetry notice: A one-time notice explains what error telemetry is collected and how to opt out via `BASE44_DISABLE_TELEMETRY=1`, recorded with a marker file (`first-run-notice.ts`, `config.ts`).
  • Unsupported Node.js handling: `bin/run.js` now avoids syntax newer than Node 12, checks `engines.node` before loading the bundle, and fails with a clear upgrade message instead of a `SyntaxError`.
  • Signal handling: The dev server now also handles `SIGHUP` so closing the terminal tears down child processes cleanly.
  • Shell usage: Dropped `shell: true` from fixed-argument `execa` calls (`npm view`, `npx skills`) to remove injection surface.
  • Stale asset cleanup: Old `~/.base44/assets/` directories are pruned on first run of a new version.
  • Docs & changelog: Added telemetry docs, README notes, backfilled the changelog, and vendored the `nodejs-cli-best-practices` agent skill.

Testing

  • I have tested these changes locally
  • I have added/updated tests as needed
  • All tests pass (`npm test`)

Checklist

  • My code follows the project's style guidelines
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (if applicable)
  • My changes generate no new warnings
  • I have updated `docs/` (AGENTS.md) if I made architectural changes

Additional Notes

New unit tests cover telemetry redaction (`tests/core/telemetry-redact.spec.ts`), and `exec` command assertions were updated for the new error output. All telemetry/UX helpers are best-effort and never throw, so they cannot break the CLI.


🤖 Generated by Claude | 2026-07-02 20:27 UTC | 40ca32e

claude added 9 commits July 2, 2026 19:55
Vendors the Node.js CLI best-practices skill from
lirantal/nodejs-cli-apps-best-practices (CC BY-SA 4.0, see
ATTRIBUTION.md) into .claude/skills so audits and PR reviews can
check changes against the 37 documented practices.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
Error events previously included raw positional args and API request/
response bodies, so a failing `base44 secrets set KEY=VALUE` sent the
plaintext secret to PostHog twice. Mask KEY=VALUE arg values and drop
bodies for /secrets endpoints before capture.

Addresses §8.1 (strict opt-in analytics) of the Node.js CLI best
practices audit.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
Telemetry was opt-out but undocumented outside contributor docs. Print
a one-time notice (marker at ~/.base44/telemetry-notice) explaining
what is collected and how to opt out, and add a Telemetry section to
the README.

Addresses §8.1 (strict opt-in analytics) of the Node.js CLI best
practices audit.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
Error codes existed on every CLIError but were only sent to telemetry,
and the version was not shown anywhere in failures — both are needed
for usable bug reports. Add them to the themed error footer and to
plain (non-interactive) error output.

Addresses §6.1 (trackable errors) and §9.4 (version in errors) of the
Node.js CLI best practices audit.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
When a failure is not a user error (bad input, missing auth), print a
GitHub new-issue link pre-populated with the error message, CLI
version, command, session ID, and OS/Node details so filing a bug
requires no manual info gathering.

Addresses §6.5 (effortless bug reports) of the Node.js CLI best
practices audit.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
The npm entry point statically imported the ESM bundle, so running on
an old Node version surfaced as a SyntaxError instead of an actionable
message. Check process.versions.node against the engines field before
dynamically importing the bundle.

Addresses §4.3 (Node.js versions compatibility) of the Node.js CLI
best practices audit.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
- Handle SIGHUP in the dev server alongside SIGINT/SIGTERM so closing
  the terminal tears down child processes cleanly (§1.8)
- Drop shell: true from fixed-argument execa calls (npm view, npx
  skills); execa resolves .cmd shims via cross-spawn, and avoiding the
  shell removes injection surface (§10.1)
- Prune old ~/.base44/assets/<version> directories on first run of a
  new version so the cache doesn't grow with every release (§2.3)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
Error output now ends with a version/code footer and, for system
errors, a pre-filled bug report link; the exact-match stderr
assertions in exec.spec.ts needed to account for both.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
The changelog stopped at v0.0.51 while eight newer versions were
tagged and published. Add the missing entries from the tagged commit
history.

Addresses §9.7 (update version documents) of the Node.js CLI best
practices audit.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VKEi1vRWoN1wX8QXErt2UC
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🚀 Package Preview Available!


Install this PR's preview build with npm:

npm i @base44-preview/cli@0.1.1-pr.556.40ca32e

Prefer not to change any import paths? Install using npm alias so your code still imports base44:

npm i "base44@npm:@base44-preview/cli@0.1.1-pr.556.40ca32e"

Or add it to your package.json dependencies:

{
  "dependencies": {
    "base44": "npm:@base44-preview/cli@0.1.1-pr.556.40ca32e"
  }
}

Preview published to npm registry — try new features instantly!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants