RepoJournal
Shopify

Shopify

Hydrogen, Polaris, and the CLI — the dev platform behind millions of stores

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Mon 11 may
  7. Tue 12 may
  8. Wed 13 may
  9. Thu 14 may
  10. Fri 15 may
  11. Sat 16 may
  12. Tue 19 may
  13. Thu 21 may
  14. Sat 23 may
  15. Wed 27 may
  16. Thu 28 may
  17. Fri 29 may
  18. Sat 30 may
  19. Mon 8 jun
  20. Tue 9 jun
  21. Today 10 jun

The Wire · Showcase

SHOPIFY CLI TIGHTENS BUNDLE GUARDS AND FIXES UPGRADE CHAOS ON WINDOWS

By RepoJournal · Filed · About Shopify

The CLI now prevents silent uploads of oversized and out-of-app assets that were silently ballooning bundles to gigabytes, while fixing a critical path normalization bug breaking Windows auto-upgrades.

Shopify CLI shipped a critical guardrail today [1] that stops the bundle upload pipeline from accepting asset paths pointing outside your app folder or exceeding reasonable size limits. Until now, a developer could accidentally point to their entire home directory with source = "../../" and watch a 2GB bundle silently upload to GCS without warning. This follows a Slack thread in #app-management where the scope of the problem became clear: there were zero safeguards on what got zipped and shipped.

On the Windows front, the CLI's auto-upgrade detection broke because path comparisons were failing silently [2]. The project root was normalized to forward slashes by the path library, but process.argv[1] arrives as OS-native backslash paths on Windows, so the startsWith check always missed. This meant users were stuck on old versions and couldn't upgrade automatically.

The CLI also fixed package manager detection for bun users [3]. When bun installs a global binary as a symlink out of ~/.bun, the path detection fell through to npm and tried to upgrade via npm instead of bun, breaking the flow for an entire installation method. The fix now inspects both the resolved real path and the unresolved symlink to catch bun correctly.

Two changesets landed to clean up the analytics override surface area [4] [5], removing analyticsNameOverride from the app generate extension command as part of broader API cleanup.

Action items

References

  1. [1] Guard CLI bundle upload against oversized and out-of-app paths ↗ Shopify/cli
  2. [2] Fix Windows auto-upgrade for local CLI installs Shopify/cli
  3. [3] Use bun for autoupgrade when CLI installed via bun add -g Shopify/cli
  4. [4] Drop changeset Shopify/cli
  5. [5] Merge pull request #7536 from Shopify/fonso/drop-generate-extension-analytics-override Shopify/cli

FAQ

What changed in Shopify on May 16, 2026?
The CLI now prevents silent uploads of oversized and out-of-app assets that were silently ballooning bundles to gigabytes, while fixing a critical path normalization bug breaking Windows auto-upgrades.
What should Shopify teams do about it?
Upgrade @shopify/cli immediately if you manage extensions or large assets • Windows users: re-run CLI auto-upgrade to get the path fix • Audit existing extension bundles if you've used relative paths above your app root
Which Shopify repositories shipped on May 16, 2026?
Shopify/cli

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.