codacy · alerizzo · Jun 30, 2026 · Jun 30, 2026 · Jun 30, 2026
diff --git a/.changeset/update-available-notice.md b/.changeset/update-available-notice.md
@@ -0,0 +1,13 @@
+---
+"@codacy/codacy-cloud-cli": minor
+---
+
+Add an npm-style "update available" notice. When a newer version is published, the
+CLI prints a one-time upgrade hint to stderr — it never auto-updates. The notice
+only shows with the default `--output table` in an interactive terminal; it is
+suppressed for `--output json`, when piped, in CI, and under `npx`/npm scripts, so
+machine-readable stdout stays byte-clean. The version lookup runs in a non-blocking
+background process (at most once a day) and never affects timing or exit codes. Opt
+out via `CODACY_DISABLE_UPDATE_CHECK`, `NO_UPDATE_NOTIFIER`, or `--no-update-notifier`.
+A package.json `overrides` entry pins `update-notifier`'s transitive `got`/`package-json`
+to patched, still-CommonJS versions to avoid CVE-2022-33987.
diff --git a/.gemini/styleguide.md b/.gemini/styleguide.md
@@ -0,0 +1,31 @@
+# Codacy Cloud CLI — review style guide
+
+Project-specific conventions for reviewing this repository (a TypeScript +
+Commander.js CLI). Please weigh these before flagging style or correctness
+concerns.
+
+## Testing
+- Tests mutate `process.env` directly: assign the variable in the test and
+  `delete` it in `beforeEach`/`afterEach` for isolation. This is the repo-wide
+  convention (see `src/utils/auth.test.ts` and ~10 other test files). Do **not**
+  suggest `vi.stubEnv` / `vi.unstubAllEnvs` — the codebase deliberately does not
+  use them, and consistency across the suite is preferred.
+- API service calls are mocked with `vi.mock(...)`; tests are co-located as
+  `<module>.test.ts` next to the source.
+
+## Output streams
+- The command's data payload goes to **stdout**; all human-readable diagnostics
+  (spinners via `ora`, the "update available" notice) go to **stderr**.
+  `--output json` must keep stdout byte-clean.
+- The update-available notice uses `update-notifier`, which prints to stderr and
+  self-suppresses for non-TTY / CI / `--output json`. Don't flag it as stdout or
+  JSON-output pollution.
+
+## Dependencies
+- Runtime dependencies, devDependencies, and `overrides` are all pinned to exact
+  versions (no `^`/`~`) for reproducibility and to avoid dependency-confusion
+  risk. Flagging an unpinned range is correct; suggesting a range is not.
+
+## Generated files
+- `package-lock.json` and everything under `src/api/client/**` are generated.
+  Complexity, duplication, and size findings on these are false positives.
diff --git a/SPECS/README.md b/SPECS/README.md
@@ -70,3 +70,4 @@ _No pending tasks._ All commands implemented.
 | 2026-06-02 | Pattern config-file & coding-standard awareness: new `pattern <tool> <id>` **info mode** (same card as `patterns`); `pattern`/`patterns` skip listing and refuse updates when a tool uses a local config file; `pattern` refuses to modify coding-standard-enforced patterns; `issues --overview` noise suggestions now render a manual "update your config file / coding standard" step instead of a command when a pattern can't be disabled via CLI. `printPatternCard`/`PATTERN_JSON_FIELDS` moved to `utils/formatting.ts` (11 new tests, 371 total) |
 | 2026-06-18 | `repo --output json` now includes `repository.fileCount`, plucked from `coverage.numberTotalFiles` on the existing `getRepositoryWithAnalysis` response (present even without coverage data — no extra API call). Unlocks repo-size visibility for downstream consumers like the `configure-codacy-cloud` skill (1 new test, 373 total) |
 | 2026-06-24 | `findings` and `finding` now surface the vulnerable dependency's import chain from the new `dependencyChains` field: Direct (`Update <pkg> to <fixed>`) vs Transitive (`<chain> (Fixed in <fixed>)`), with the middle collapsed to `... N more ...` for 4+ packages. List shows the first chain + `... and X more`; detail shows all chains aligned under a single label. New helpers in `utils/formatting.ts` (`formatDependencyChain`, `formatDependencyChainsLine`, `formatDependencyChainsBlock`); `dependencyChains` added to both JSON projections (17 new tests, 390 total) |
+| 2026-06-30 | npm-style "update available" notice via `update-notifier@5`: one-time stderr hint when a newer version is published, gated to `--output table` (suppressed for `json`, when piped, in CI, under `npx`). Non-blocking daily background check; never auto-updates. New `src/version.ts` (single source of name/version) + `src/utils/update-check.ts` (`maybeNotifyUpdate`); `preAction` hook + `--no-update-notifier` flag wired in `index.ts`. Opt-outs: `CODACY_DISABLE_UPDATE_CHECK`, `NO_UPDATE_NOTIFIER`, `--no-update-notifier`. `package.json` `overrides` pin transitive `got@^11.8.6`/`package-json@^7` (CVE-2022-33987) (7 new tests, 409 total) |