Commit Graph

23 Commits

  • Update vulnerable Hono and fast-uri dependencies (#29650)
    ## Summary
    
    - Pin `hono` to 4.12.25, the first patched release for the recent Hono
    security advisories.
    - Pin `fast-uri` to 3.1.1 to fix the percent-encoded path traversal
    vulnerability.
    - Refresh `pnpm-lock.yaml` with only those dependency updates.
    
    `hono` 4.12.25 is used instead of the newer 4.12.27 because the
    repository requires dependencies to be at least seven days old.
  • [codex] Update esbuild to 0.28.1 (#29489)
    ## Why
    
    The TypeScript workspace resolved `esbuild` 0.25.10 transitively through
    the SDK toolchain. `esbuild` 0.28.1 adds integrity verification to the
    Deno binary download path addressed by
    [GHSA-gv7w-rqvm-qjhr](https://github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr),
    preventing an attacker-controlled npm registry from supplying an
    executable without a content check.
    
    ## What changed
    
    - Add a root workspace resolution for `esbuild` 0.28.1.
    - Regenerate `pnpm-lock.yaml` so `tsup`, `bundle-require`, and `ts-jest`
    all resolve the patched version.
    
    ## Validation
    
    - Frozen pnpm install, including the SDK's `tsup` build
    - `pnpm --filter @openai/codex-sdk exec jest tests/exec.test.ts
    --runInBand`
    - Confirmed the installed dependency graph contains only `esbuild`
    0.28.1
  • Harden package-manager install policy (#19163)
    ## Summary
    
    This PR hardens package-manager usage across the repo to reduce
    dependency supply-chain risk. It also removes the stale `codex-cli`
    Docker path, which was already broken on `main`, instead of keeping a
    bitrotted container workflow alive.
    
    ## What changed
    
    - Updated pnpm package manager pins and workspace install settings.
    - Removed stale `codex-cli` Docker assets instead of trying to keep a
    broken local container path alive.
    - Added uv settings and lockfiles for the Python SDK packages.
    - Updated Python SDK setup docs to use `uv sync`.
    
    ## Why
    
    This is primarily a security hardening change. It reduces
    package-install and supply-chain risk by ensuring dependency installs go
    through pinned package managers, committed lockfiles, release-age
    settings, and reviewed build-script controls.
    
    For `codex-cli`, the right follow-up was to remove the local Docker path
    rather than keep patching it:
    
    - `codex-cli/Dockerfile` installed `codex.tgz` with `npm install -g`,
    which bypassed the repo lockfile and age-gated pnpm settings.
    - The local `codex-cli/scripts/build_container.sh` helper was already
    broken on `main`: it called `pnpm run build`, but
    `codex-cli/package.json` does not define a `build` script.
    - The container path itself had bitrotted enough that keeping it would
    require extra packaging-specific behavior that was not otherwise needed
    by the repo.
    
    ## Gaps addressed
    
    - Global npm installs bypassed the repo lockfile in Docker and CLI
    reinstall paths, including `codex-cli/Dockerfile` and
    `codex-cli/bin/codex.js`.
    - CI and Docker pnpm installs used `--frozen-lockfile`, but the repo was
    missing stricter pnpm workspace settings for dependency build scripts.
    - Python SDK projects had `pyproject.toml` metadata but no committed
    `uv.lock` coverage or uv age/index settings in `sdk/python` and
    `sdk/python-runtime`.
    - The secure devcontainer install path used npm/global install behavior
    without a local locked package-manager boundary.
    - The local `codex-cli` Docker helper was already broken on `main`, so
    this PR removes that stale Docker path instead of preserving a broken
    surface.
    - pnpm was already pinned, but not to the current repo-wide pnpm version
    target.
    
    ## Verification
    
    - `pnpm install --frozen-lockfile`
    - `.devcontainer/codex-install`: `pnpm install --prod --frozen-lockfile`
    - `.devcontainer/codex-install`: `./node_modules/.bin/codex --version`
    - `sdk/python`: `uv lock --check`, `uv sync --locked --all-extras
    --dry-run`, `uv build`
    - `sdk/python-runtime`: `uv lock --check`, `uv sync --locked --dry-run`,
    `uv build --wheel`
    - `pnpm -r --filter ./sdk/typescript run build`
    - `pnpm -r --filter ./sdk/typescript run lint`
    - `pnpm -r --filter ./sdk/typescript run test`
    - `node --check codex-cli/bin/codex.js`
    - `docker build -f .devcontainer/Dockerfile.secure -t codex-secure-test
    .`
    - `cargo build -p codex-cli`
    - repo-wide package-manager audit
  • [codex] Fix high severity dependency alerts (#18167)
    ## Summary
    - Pin vulnerable npm dependencies through the existing root
    `resolutions` mechanism so the lockfile moves only to patched versions.
    - Refresh `pnpm-lock.yaml` for `@modelcontextprotocol/sdk`,
    `handlebars`, `path-to-regexp`, `picomatch`, `minimatch`, `flatted`,
    `rollup`, and `glob`.
    - Bump `quinn-proto` from `0.11.13` to `0.11.14` and refresh
    `MODULE.bazel.lock`.
    
    ## Testing
    - `corepack pnpm --store-dir .pnpm-store install --frozen-lockfile
    --ignore-scripts`
    - `corepack pnpm audit --audit-level high` (passes; remaining advisories
    are low/moderate)
    - `corepack pnpm -r --filter ./sdk/typescript run build`
    - `corepack pnpm exec eslint 'src/**/*.ts' 'tests/**/*.ts'`
    - `cargo check --locked`
    - `cargo build -p codex-cli`
    - `bazel --output_user_root=/tmp/bazel-codex-dependabot
    --ignore_all_rc_files mod deps --lockfile_mode=error`
    - `just fmt`
    
    Note: `corepack pnpm -r --filter ./sdk/typescript run test` was also
    attempted after building `codex`; it is blocked on this workstation by
    host-managed Codex MDM/auth state (`approval_policy` restrictions and
    ChatGPT/API-key mismatch), not by this dependency change.
  • start of hooks engine (#13276)
    (Experimental)
    
    This PR adds a first MVP for hooks, with SessionStart and Stop
    
    The core design is:
    
    - hooks live in a dedicated engine under codex-rs/hooks
    - each hook type has its own event-specific file
    - hook execution is synchronous and blocks normal turn progression while
    running
    - matching hooks run in parallel, then their results are aggregated into
    a normalized HookRunSummary
    
    On the AppServer side, hooks are exposed as operational metadata rather
    than transcript-native items:
    
    - new live notifications: hook/started, hook/completed
    - persisted/replayed hook results live on Turn.hookRuns
    - we intentionally did not add hook-specific ThreadItem variants
    
    Hooks messages are not persisted, they remain ephemeral. The context
    changes they add are (they get appended to the user's prompt)
  • Update pnpm versions to fix cve-2026-24842 (#12009)
    Update pnpm versions to resolve CVE-2026-24842
  • update the ci pnpm workflow for shell-tool-mcp to use corepack for pnpm versioning (#10115)
    This updates the CI workflows for shell-tool-mcp to use the pnpm version
    from package.json and print it in the build for verification.
    
    I have read the CLA Document and I hereby sign the CLA
  • update pnpm to 10.28.2 to address security issues (#9992)
    Updates pnpm to 10.28.2. to address security issues in prior versions of
    pnpm that can allow deps to execute lifecycle scripts against policy.
    
    I have read the CLA Document and I hereby sign the CLA
  • chore: subject docs/*.md to Prettier checks (#4645)
    Apparently we were not running our `pnpm run prettier` check in CI, so
    many files that were covered by the existing Prettier check were not
    well-formatted.
    
    This updates CI and formats the files.
  • [codex-cli] Add ripgrep as a dependency for node environment (#2237)
    ## Summary
    Ripgrep is our preferred tool for file search. When users install via
    `brew install codex`, it's automatically installed as a dependency. We
    want to ensure that users running via an npm install also have this
    tool! Microsoft has already solved this problem for VS Code - let's not
    reinvent the wheel.
    
    This approach of appending to the PATH directly might be a bit
    heavy-handed, but feels reasonably robust to a variety of environment
    concerns. Open to thoughts on better approaches here!
    
    ## Testing
    - [x] confirmed this import approach works with `node -e "const { rgPath
    } = require('@vscode/ripgrep'); require('child_process').spawn(rgPath,
    ['--version'], { stdio: 'inherit' })"`
    - [x] Ran codex.js locally with `rg` uninstalled, asked it to run `which
    rg`. Output below:
    
    ```
     Ran command which rg; echo $?
      ⎿ /Users/dylan.hurd/code/dh--npm-rg/node_modules/@vscode/ripgrep/bin/rg
        0
    
    codex
    Re-running to confirm the path and exit code.
    
    - Path: `/Users/dylan.hurd/code/dh--npm-rg/node_modules/@vscode/ripgrep/bin/rg`
    - Exit code: `0`
    ```
  • chore: remove the TypeScript code from the repository (#2048)
    This deletes the bulk of the `codex-cli` folder and eliminates the logic
    that builds the TypeScript code and bundles it into the release.
    
    Since this PR modifies `.github/workflows/rust-release.yml`, to test
    changes to the release process, I locally commented out all of the "is
    this commit on upstream `main`" checks in
    `scripts/create_github_release.sh` and ran:
    
    ```
    ./codex-rs/scripts/create_github_release.sh 0.20.0-alpha.4
    ```
    
    Which kicked off:
    
    https://github.com/openai/codex/actions/runs/16842085113
    
    And the release artifacts appear legit!
    
    https://github.com/openai/codex/releases/tag/rust-v0.20.0-alpha.4
  • fix: patch in #366 and #367 for marked-terminal (#916)
    This PR uses [`pnpm
    patch`](https://www.petermekhaeil.com/til/pnpm-patch/) to pull in the
    following proposed fixes for `marked-terminal`:
    
    * https://github.com/mikaelbr/marked-terminal/pull/366
    * https://github.com/mikaelbr/marked-terminal/pull/367
    
    This adds a substantial test to `codex-cli/tests/markdown.test.tsx` to
    verify the new behavior.
    
    Note that one of the tests shows two citations being split across a line
    even though the rendered version would fit comfortably on one line.
    Changing this likely requires a subtle fix to `marked-terminal` to
    account for "rendered length" when determining line breaks.
  • chore: upgrade prettier to v3 (#644)
    ## Description
    
    This PR addresses the following improvements:
    
    **Unify Prettier Version**: Currently, the Prettier version used in
    `/package.json` and `/codex-cli/package.json` are different. In this PR,
    we're updating both to use Prettier v3.
    
    - Prettier v3 introduces improved support for JavaScript and TypeScript.
    (e.g. the formatting scenario shown in the image below. This is more
    aligned with the TypeScript indentation standard).
    
    <img width="1126" alt="image"
    src="https://github.com/user-attachments/assets/6e237eb8-4553-4574-b336-ed9561c55370"
    />
    
    **Add Prettier Auto-Formatting in lint-staged**: We've added a step to
    automatically run prettier --write on JavaScript and TypeScript files as
    part of the lint-staged process, before the ESLint checks.
    
    - This will help ensure that all committed code is properly formatted
    according to the project's Prettier configuration.
  • fix: lint-staged error (#617)
    ## Description
    
    In a recent commit, the command `"cd codex-cli && pnpm run typecheck"`
    was updated to `"pnpm --filter @openai/codex run typecheck"`.
    
    However, this change introduces an issue: 
    when running `pnpm --filter @openai/codex run typecheck`, it executes
    `tsc --noEmit somefile.ts` directly, bypassing the `tsconfig.json`
    configuration. As a result, numerous type errors are triggered,
    preventing successful commits.
    
    Close: #619
  • chore: update lint-staged config to use pnpm --filter (#582)
    Replaced directory-specific commands with workspace-aware pnpm commands
  • chore: improve storage/ implementation; use log(...) consistently (#473)
    This PR tidies up primitives under storage/.
    
    **Noop changes:**
    
    * Promote logger implementation to top-level utility outside of agent/
    * Use logger within storage primitives
    * Cleanup doc strings and comments
    
    **Functional changes:**
    
    * Increase command history size to 10_000
    * Remove unnecessary debounce implementation and ensure a session ID is
    created only once per agent loop
    
    ---------
    
    Signed-off-by: Thibault Sottiaux <tibo@openai.com>
  • feat: /diff command to view git diff (#426)
    Adds `/diff` command to view git diff
  • fix: configure husky and lint-staged for pnpm monorepo (#384)
    # Improve Developer Experience with Husky and lint-staged for pnpm
    Monorepo
    
    ## Summary
    This PR enhances the developer experience by configuring Husky and
    lint-staged to work properly with our pnpm monorepo structure. It
    centralizes Git hooks at the root level and ensures consistent code
    quality across the project.
    
    ## Changes
    - Centralized Husky and lint-staged configuration at the monorepo root
    - Added pre-commit hook that runs lint-staged to enforce code quality
    - Configured lint-staged to:
      - Format JSON, MD, and YAML files with Prettier
      - Lint and typecheck TypeScript files before commits
    - Fixed release script in codex-cli package.json (changed "pmpm" to "npm
    publish")
    - Removed duplicate Husky and lint-staged configurations from codex-cli
    package.json
    
    ## Benefits
    - **Consistent Code Quality**: Ensures all committed code meets project
    standards
    - **Automated Formatting**: Automatically formats code during commits
    - **Early Error Detection**: Catches type errors and lint issues before
    they're committed
    - **Centralized Configuration**: Easier to maintain and update in one
    place
    - **Improved Collaboration**: Ensures consistent code style across the
    team
    
    ## Future Improvements
    We could further enhance this setup by
    **Commit Message Validation**: Add commitlint to enforce conventional
    commit messages
    
    ---------
    
    Co-authored-by: Thibault Sottiaux <tibo@openai.com>
  • chore: migrate to pnpm for improved monorepo management (#287)
    # Migrate to pnpm for improved monorepo management
    
    ## Summary
    This PR migrates the Codex repository from npm to pnpm, providing faster
    dependency installation, better disk space usage, and improved monorepo
    management.
    
    ## Changes
    - Added `pnpm-workspace.yaml` to define workspace packages
    - Added `.npmrc` with optimal pnpm configuration
    - Updated root package.json with workspace scripts
    - Moved resolutions and overrides to the root package.json
    - Updated scripts to use pnpm instead of npm
    - Added documentation for the migration
    - Updated GitHub Actions workflow for pnpm
    
    ## Benefits
    - **Faster installations**: pnpm is significantly faster than npm
    - **Disk space savings**: pnpm's content-addressable store avoids
    duplication
    - **Strict dependency management**: prevents phantom dependencies
    - **Simplified monorepo management**: better workspace coordination
    - **Preparation for Turborepo**: as discussed, this is the first step
    before adding Turborepo
    
    ## Testing
    - Verified that `pnpm install` works correctly
    - Verified that `pnpm run build` completes successfully
    - Ensured all existing functionality is preserved
    
    ## Documentation
    Added a detailed migration guide in `PNPM_MIGRATION.md` explaining:
    - Why we're migrating to pnpm
    - How to use pnpm with this repository
    - Common commands and workspace-specific commands
    - Monorepo structure and configuration
    
    ## Next Steps
    As discussed, once this change is stable, we can consider adding
    Turborepo as a follow-up enhancement.
  • bump(version): 0.1.2504172351 (#310)
    Release `@openai/codex@0.1.2504172351`
  • add: changelog (#308)
    - Release `@openai/codex@0.1.2504172304`
    - Add changelog
  • update: release (#109)
    Signed-off-by: Fouad Matin <fouad@openai.com>
  • Initial commit
    Signed-off-by: Ilan Bigio <ilan@openai.com>