Skip to content

feat: improve npm authentication and plugin health checks during CLI updates#3547

Open
eablack wants to merge 3 commits intov11.0.0from
eb/better-messaging-when-failing-from-private-plugins
Open

feat: improve npm authentication and plugin health checks during CLI updates#3547
eablack wants to merge 3 commits intov11.0.0from
eb/better-messaging-when-failing-from-private-plugins

Conversation

@eablack
Copy link
Contributor

@eablack eablack commented Feb 27, 2026
edited
Loading

Summary

This PR improves the user experience when updating the Heroku CLI by adding better handling for npm authentication and plugin installation issues. Users previously encountered cryptic npm errors when updating while logged out of npm with private plugins installed. This change proactively detects and handles these scenarios with clear messaging and interactive prompts.

Type of Change

Feature Additions (minor semver update)

  • feat: Introduces a new feature to the codebase

Changes

New Hooks Added

1. check-npm-auth (preupdate hook)

  • Detects private plugins before the update begins
  • Checks if user is authenticated with npm
  • Prompts user to login interactively if needed
  • Handles user cancellation gracefully with clear messaging
  • Prevents cryptic npm errors during plugin installation

2. check-plugin-health (update hook)

  • Runs after plugin installation completes
  • Verifies all configured plugins exist in node_modules
  • Warns users about missing plugins with recovery instructions
  • Provides both reinstall and uninstall options

Removed

  • Deprecated v6 plugin migration code from plugin-migrate hook (no longer needed)

Tests

  • Comprehensive unit tests for both new hooks
  • Tests cover: no plugins, public plugins only, private plugins, missing plugins, error handling
  • All tests passing (10 tests total)

Testing

Notes:
The hooks integrate into the existing oclif update lifecycle. The check-npm-auth hook runs before the update starts (preupdate), while check-plugin-health runs after plugin installation (update).

Steps:

  1. Install a private npm plugin: heroku plugins:install @private/some-plugin
  2. Log out of npm: npm logout
  3. Attempt to update CLI: heroku update
  4. Verify the check-npm-auth hook prompts for authentication
  5. Choose to authenticate and verify update proceeds
  6. Alternatively, choose not to authenticate and verify clear error message

To test plugin health check:

  1. Manually corrupt a plugin installation (delete from node_modules)
  2. Run heroku update
  3. Verify warning message with recovery instructions

Unit tests:

npm run test:file test/unit/hooks/check-npm-auth.unit.test.ts test/unit/hooks/check-plugin-health.unit.test.ts

Related Issues

@eablack
feat: improve npm authentication and plugin health checks during CLI …
2862e38 
…updates

This change improves the user experience when updating the Heroku CLI by adding better handling for npm authentication and plugin installation issues.

Key changes:
- Add preupdate hook (check-npm-auth) that detects private plugins and prompts users to authenticate with npm before attempting the update
- Add post-update hook (check-plugin-health) that verifies all plugins installed correctly and provides recovery instructions for missing plugins
- Remove deprecated v6 plugin migration code from plugin-migrate hook
- Add comprehensive unit tests for both new hooks

The check-npm-auth hook:
- Reads installed plugins from package.json
- Checks which plugins are private (require authentication)
- Verifies npm authentication status
- Prompts user to login if needed before proceeding with update
- Handles user cancellation gracefully with clear messaging

The check-plugin-health hook:
- Runs after plugin installation during update
- Checks if all configured plugins exist in node_modules
- Warns users about missing plugins with recovery instructions
- Suggests both reinstall and uninstall options

This resolves issues where users would get cryptic npm errors during CLI updates when logged out of npm with private plugins installed.
@eablack eablack requested a review from a team as a code owner February 27, 2026 23:33
@eablack
perf: parallelize npm package privacy checks in batches of 5
c2a30f3 
Refactor check-npm-auth hook to check multiple plugins concurrently
instead of sequentially. This significantly reduces the time to check
plugin privacy when users have many plugins installed.

- Process plugins in batches of 5 using Promise.all
- Maintains the same behavior and debug logging
- Reduces check time from O(n) sequential to O(n/5) batches
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eablack