Bump @earendil-works/pi-coding-agent from 0.75.3 to 0.75.4

[dependabot]

Bumps @earendil-works/pi-coding-agent from 0.75.3 to 0.75.4.

Release notes

Sourced from @​earendil-works/pi-coding-agent's releases.

v0.75.4

New Features

• Hardened npm install and release path - Pi now ships the CLI with a generated shrinkwrap for transitive dependencies, blocks accidental lockfile changes, verifies dependency pinning and lifecycle-script allowlists in checks, disables lifecycle scripts for self-update and local release installs where supported, and smoke-tests isolated npm and Bun installs before release. See Supply-chain hardening.

Added

• Added interactive update notes after pi update runs, so users can see the installed version's changelog before continuing (#4724 by @​mitsuhiko).
• Exported image resize utilities from the package root for SDK consumers (#4775 by @​xl0).

Changed

• Changed source syntax to avoid TypeScript constructs that require JavaScript emit, keeping core sources compatible with Node.js strip-only TypeScript checks.
• Removed web UI workspace references from the CLI package and dropped the package-level development watch script.
• Published npm installs now include an npm-shrinkwrap.json to lock transitive dependencies for the CLI package.
• Improved terminal theme detection for light/dark and truecolor handling.
• Changed self-update package-manager commands to disable lifecycle scripts during reinstall.

Fixed

• Fixed the system prompt to tell models to resolve pi docs and examples under the absolute package paths before reading topic-specific relative references (#4752).
• Fixed extension ctx.abort() during tool-call preflight to stop later confirmations and restore queued interactive input like Escape (#4276).
• Fixed AgentSession retry, compaction, and event settlement to use the awaited agent lifecycle instead of a separate event queue, and added willRetry to agent_end session events.
• Fixed forked session runtime state to keep the active session id aligned with the fork target (#4799 by @​Perlence).
• Fixed the subagent extension's parallel mode to return useful per-task output and failed-task diagnostics to the parent model instead of 100-character previews (#4710).
• Fixed Windows local bash execution to hide helper console windows when launched from background SDK processes (#4699).
• Fixed managed npm extension folders to set cloud-sync ignore metadata where supported (#4763).
• Fixed HTTP idle timeout configuration so long-running provider streams can avoid premature idle disconnects (#4759 by @​mitsuhiko).
• Fixed default system prompt boundaries to use explicit XML tags for clearer file separation (#4709 by @​herrnel).
• Fixed HTML share/export sidebar clicks for shared tool entries to scroll to the rendered tool call (#4664 by @​yzhg1983).
• Fixed theme palettes to set explicit text colors and avoid terminal-default color drift.
• Fixed truecolor detection to align terminal image rendering and interactive theme decisions.
• Fixed loader indicator startup inherited from @earendil-works/pi-tui so initialization cannot run before frames are available.
• Fixed OpenAI-compatible default output token requests inherited from @earendil-works/pi-ai to avoid reserving impossible context windows on servers such as vLLM (#4675).
• Fixed OpenAI prompt cache keys inherited from @earendil-works/pi-ai to stay within the 64-character provider limit (#4720).
• Fixed Windows npm-family package commands for fnm-managed Node.js installs that expose both extensionless Unix scripts and .cmd shims (#4793).

Changelog

Sourced from @​earendil-works/pi-coding-agent's changelog.

[0.75.4] - 2026-05-20

New Features

• Hardened npm install and release path - Pi now ships the CLI with a generated shrinkwrap for transitive dependencies, blocks accidental lockfile changes, verifies dependency pinning and lifecycle-script allowlists in checks, disables lifecycle scripts for self-update and local release installs where supported, and smoke-tests isolated npm and Bun installs before release. See Supply-chain hardening.

Added

• Added interactive update notes after pi update runs, so users can see the installed version's changelog before continuing (#4724 by @​mitsuhiko).
• Exported image resize utilities from the package root for SDK consumers (#4775 by @​xl0).

Changed

• Changed source syntax to avoid TypeScript constructs that require JavaScript emit, keeping core sources compatible with Node.js strip-only TypeScript checks.
• Removed web UI workspace references from the CLI package and dropped the package-level development watch script.
• Published npm installs now include an npm-shrinkwrap.json to lock transitive dependencies for the CLI package.
• Improved terminal theme detection for light/dark and truecolor handling.
• Changed self-update package-manager commands to disable lifecycle scripts during reinstall.

Fixed

• Fixed the system prompt to tell models to resolve pi docs and examples under the absolute package paths before reading topic-specific relative references (#4752).
• Fixed extension ctx.abort() during tool-call preflight to stop later confirmations and restore queued interactive input like Escape (#4276).
• Fixed AgentSession retry, compaction, and event settlement to use the awaited agent lifecycle instead of a separate event queue, and added willRetry to agent_end session events.
• Fixed forked session runtime state to keep the active session id aligned with the fork target (#4799 by @​Perlence).
• Fixed the subagent extension's parallel mode to return useful per-task output and failed-task diagnostics to the parent model instead of 100-character previews (#4710).
• Fixed Windows local bash execution to hide helper console windows when launched from background SDK processes (#4699).
• Fixed managed npm extension folders to set cloud-sync ignore metadata where supported (#4763).
• Fixed HTTP idle timeout configuration so long-running provider streams can avoid premature idle disconnects (#4759 by @​mitsuhiko).
• Fixed default system prompt boundaries to use explicit XML tags for clearer file separation (#4709 by @​herrnel).
• Fixed HTML share/export sidebar clicks for shared tool entries to scroll to the rendered tool call (#4664 by @​yzhg1983).
• Fixed theme palettes to set explicit text colors and avoid terminal-default color drift.
• Fixed truecolor detection to align terminal image rendering and interactive theme decisions.
• Fixed loader indicator startup inherited from @earendil-works/pi-tui so initialization cannot run before frames are available.
• Fixed OpenAI-compatible default output token requests inherited from @earendil-works/pi-ai to avoid reserving impossible context windows on servers such as vLLM (#4675).
• Fixed OpenAI prompt cache keys inherited from @earendil-works/pi-ai to stay within the 64-character provider limit (#4720).
• Fixed Windows npm-family package commands for fnm-managed Node.js installs that expose both extensionless Unix scripts and .cmd shims (#4793).

Commits

• 3533843 Release v0.75.4
• 144b938 docs: audit unreleased changelog entries
• cd2ae1b docs(coding-agent): document fnm npm shim fix
• 8011e20 Merge pull request #4799 from Perlence/fix/fork-session-id
• 5b7c5d2 docs: recommend scriptless npm installs
• a3ebcd2 fix(coding-agent): disable scripts during self-update
• 715c82c chore: shrinkwrap coding agent release deps
• dce24ac fix(coding-agent): keep fork session id aligned
• 2e02c74 chore: pin dependencies and use native TypeScript
• 849f9d9 fix(coding-agent): configure HTTP idle timeout (#4759)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Upgrade @earendil-works/pi-coding-agent to 0.75.4 to pick up hardened installs, improved update flow, and multiple reliability fixes. No app code changes.

• Dependencies
  • Bump @earendil-works/pi-coding-agent 0.75.3 → 0.75.4.
  • Updates transitive deps and adds shrinkwrap; only package.json and bun.lock changed.

^{Written for commit d1be809. Summary will update on new commits. Review in cubic}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​earendil-works/​pi-tui@​0.75.3 ⏵ 0.75.4	-3			+2
	@​earendil-works/​pi-ai@​0.75.3 ⏵ 0.75.4	-3			+2
	typebox@​1.1.38

View full report

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}