chore: remove cargo-dist, use native fetch for npm installer#646
Conversation
🦋 Changeset detectedLatest commit: 45e49b1 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request modernizes the release and installation process for the CLI by removing reliance on third-party distribution tools. By implementing a custom, zero-dependency installer and a native GitHub Actions workflow, the project reduces its dependency footprint and gains more control over the distribution pipeline. Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
googleworkspace-bot
added
the
cla: yes
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request replaces the cargo-dist release pipeline with a custom GitHub Actions workflow and a zero-dependency npm installer that utilizes native Node.js fetch. Key changes include the addition of scripts for platform-specific binary installation and execution, as well as updates to the version synchronization process. Feedback indicates that the wrapper script's exit status handling needs to account for signal-based termination to avoid false success reports. Additionally, the extraction logic in the installation script should be refactored to use spawnSync with an arguments array instead of execSync with shell strings to improve security and robustness against special characters in file paths.
github-actions
Bot
added
the
gemini: reviewed
github-actions
Bot
removed
the
gemini: reviewed
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request replaces the cargo-dist release pipeline with a custom GitHub Actions workflow and a zero-dependency npm installer using native Node.js fetch. The changes remove several dependencies like axios and rimraf while introducing a cross-platform installation script. Feedback identifies a regression where native fetch does not respect system proxy settings, a potential crash if the response body is null, and path parsing vulnerabilities in the PowerShell extraction logic. It is also recommended to sanitize error strings to prevent escape sequence injection.
github-actions
Bot
added
the
gemini: reviewed
- Add null body guard for fetch response - Fix PowerShell Expand-Archive path quoting vulnerability - Sanitize error output to prevent ANSI escape injection - Add proxy support limitation note - Fix upgrade bug: use .version marker so npm update downloads new binary - Downgrade changeset from minor to patch (chore, not feature) - Update AGENTS.md: remove stale cargo-dist reference from labels
github-actions
Bot
removed
the
gemini: reviewed
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request replaces the cargo-dist release pipeline and npm package with a custom GitHub Actions workflow and a zero-dependency npm installer using native Node.js fetch. The new implementation includes scripts for platform detection, binary downloading, and extraction. Feedback was provided regarding an inconsistency in the extraction logic between Unix and Windows platforms; specifically, the use of --strip-components 1 for tarballs versus the lack of a similar mechanism for ZIP files on Windows could lead to incorrect installation paths. It is recommended to standardize on flat archives to ensure the binary is correctly located across all environments.
github-actions
Bot
added
the
gemini: reviewed
Both tar.gz and zip archives now contain files at root (no nested directory). Removes --strip-components 1 from install.js since it is no longer needed. This makes extraction consistent across platforms.
github-actions
Bot
removed
the
gemini: reviewed
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request replaces the cargo-dist release pipeline with a custom GitHub Actions workflow and a zero-dependency npm installer utilizing native Node.js fetch. The review identifies a security vulnerability in the ANSI escape sequence sanitization, the lack of a timeout for network requests, and a regression in proxy support for enterprise environments.
github-actions
Bot
added
the
gemini: reviewed
3 participants
Summary
Removes
cargo-distentirely and replaces it with:fetch()instead of axiosChanges
dist-workspace.tomlnpm/package.jsonnpm/install.jsnpm/platform.jsnpm/run.js.github/workflows/release.ymlscripts/version-sync.shnpm/package.jsonRemoved npm dependencies
axiosaxios-proxy-builderrimrafdetect-libcconsole.tableTesting
On PRs, the release workflow runs the full build matrix (dry-run) without creating releases or publishing.