fix(matomo): use runuser instead of sudo for core:update

Update scripts run as root in LXCs; runuser matches other CT scripts
and avoids a sudo dependency.

Co-authored-by: Cursor <cursoragent@cursor.com>

CHANGELOG.md

@@ -496,18 +496,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
     - [arm64] port scripts titled between papra and qbittorrent to support arm64 [@asylumexp](https://github.com/asylumexp) ([#15258](https://github.com/community-scripts/ProxmoxVE/pull/15258))
     - [arm64] Port scripts between mediamtx-nocodb to support arm64 [@asylumexp](https://github.com/asylumexp) ([#15254](https://github.com/community-scripts/ProxmoxVE/pull/15254))
 
-  - #### 🔧 Refactor
-
-    - tools.func: centralize Node.js corepack and npm handling in `setup_nodejs()` [@MickLesk](https://github.com/MickLesk) ([#15268](https://github.com/community-scripts/ProxmoxVE/pull/15268))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - tools.func: APT install and deb822 repo reliability [@MickLesk](https://github.com/MickLesk) ([#15272](https://github.com/community-scripts/ProxmoxVE/pull/15272))
-    - tools.func: prevent MySQL data loss and fix repo version matching [@MickLesk](https://github.com/MickLesk) ([#15271](https://github.com/community-scripts/ProxmoxVE/pull/15271))
-    - tools.func: runtime hardening for API helpers and Docker/MeiliSearch [@MickLesk](https://github.com/MickLesk) ([#15273](https://github.com/community-scripts/ProxmoxVE/pull/15273))
-
 ## 2026-06-20
 
 ### 🆕 New Scripts

ct/bookorbit.sh

@@ -30,8 +30,6 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
-
   if check_for_gh_release "bookorbit" "bookorbit/bookorbit"; then
     msg_info "Stopping Service"
     systemctl stop bookorbit
@@ -44,7 +42,7 @@ function update_script() {
     msg_info "Rebuilding Application"
     cd /opt/bookorbit
     PNPM_VERSION=$(jq -r '.packageManager | ltrimstr("pnpm@")' /opt/bookorbit/package.json)
-
+    $STD corepack enable
     $STD corepack prepare "pnpm@${PNPM_VERSION}" --activate
     $STD pnpm install --frozen-lockfile
     $STD pnpm --filter client run build-only
@@ -61,6 +59,7 @@ function update_script() {
     $STD uv pip install --python /opt/bookorbit-python/bin/python -r /opt/bookorbit/server/requirements/kobo-cloudscraper.txt
     msg_ok "Updated Kobo Python Runtime"
 
+
     msg_info "Starting Service"
     systemctl start bookorbit
     msg_ok "Started Service"

ct/databasus.sh

@@ -30,8 +30,6 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
-
   if check_for_gh_release "databasus" "databasus/databasus"; then
     msg_info "Stopping Databasus"
     $STD systemctl stop databasus
@@ -72,7 +70,7 @@ function update_script() {
     msg_info "Updating Databasus"
     export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
     cd /opt/databasus/frontend
-
+    $STD corepack enable
     $STD corepack prepare pnpm@latest --activate
     $STD pnpm install --frozen-lockfile
     $STD pnpm run build

ct/feishin.sh

@@ -30,8 +30,6 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
-
   if check_for_gh_release "feishin" "jeffvli/feishin"; then
     create_backup /opt/feishin/.env
 
@@ -40,7 +38,7 @@ function update_script() {
     msg_info "Rebuilding Feishin Web"
     cd /opt/feishin
     #PNPM_VERSION=$(jq -r '.packageManager | ltrimstr("pnpm@")' /opt/feishin/package.json)
-
+    $STD corepack enable
     $STD corepack prepare "pnpm@10" --activate
     $STD pnpm install
     $STD pnpm run build:web

ct/gramps-web.sh

@@ -31,7 +31,7 @@ function update_script() {
   fi
 
   PYTHON_VERSION="3.12" setup_uv
-  NODE_VERSION="22" NODE_MODULE="corepack" setup_nodejs
+  NODE_VERSION="22" setup_nodejs
 
   if check_for_gh_release "gramps-web-api" "gramps-project/gramps-web-api"; then
     msg_info "Stopping Service"
@@ -84,7 +84,7 @@ function update_script() {
     msg_info "Updating Gramps Web Frontend"
     cd /opt/gramps-web/frontend
     export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+    $STD corepack enable
     $STD npm install
     $STD npm run build
     msg_ok "Updated Gramps Web Frontend"

ct/immich.sh

@@ -168,12 +168,13 @@ EOF
     setup_uv
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "${RELEASE}" "$SRC_DIR"
     PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
-    NODE_VERSION="24" NODE_MODULE="corepack,pnpm@${PNPM_VERSION}" setup_nodejs
+    NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 
     msg_info "Updating Immich web and microservices"
     cd "$SRC_DIR"/server
     export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
     export CI=1
+    corepack enable
 
     # server build
     export SHARP_IGNORE_GLOBAL_LIBVIPS=true

ct/invoiceshelf.sh

@@ -53,7 +53,7 @@ function update_script() {
     cd /opt/invoiceshelf
     $STD composer install --no-dev --optimize-autoloader
     if command -v corepack >/dev/null 2>&1; then
-
+      $STD corepack enable
       $STD corepack yarn install
       $STD corepack yarn build
     else

ct/karakeep.sh

@@ -89,11 +89,11 @@ EOF
     fi
     sed -i "s/^SERVER_VERSION=.*$/SERVER_VERSION=${CHECK_UPDATE_RELEASE#v}/" /etc/karakeep/karakeep.env
     MODULE_VERSION="$(jq -r '.packageManager | split("@")[1]' /opt/karakeep/package.json)"
-    NODE_VERSION="24" NODE_MODULE="corepack,pnpm@${MODULE_VERSION}" setup_nodejs
+    NODE_VERSION="24" NODE_MODULE="pnpm@${MODULE_VERSION}" setup_nodejs
     setup_meilisearch
 
     msg_info "Updating Karakeep"
-
+    corepack enable
     export PUPPETEER_SKIP_DOWNLOAD="true"
     export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD="true"
     export NEXT_TELEMETRY_DISABLED=1

ct/linkwarden.sh

@@ -28,7 +28,7 @@ function update_script() {
     exit
   fi
   if check_for_gh_release "linkwarden" "linkwarden/linkwarden"; then
-    NODE_VERSION="22" NODE_MODULE="corepack,yarn@latest" setup_nodejs
+    NODE_VERSION="22" NODE_MODULE="yarn@latest" setup_nodejs
     msg_info "Stopping Service"
     systemctl stop linkwarden
     msg_ok "Stopped Service"
@@ -54,7 +54,7 @@ function update_script() {
       fi
     fi
     if command -v corepack >/dev/null 2>&1; then
-
+      $STD corepack enable
       $STD corepack prepare "yarn@${yarn_ver}" --activate || true
     fi
     $STD yarn

ct/manyfold.sh

@@ -29,7 +29,7 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="24" NODE_MODULE="corepack,yarn" setup_nodejs
+  NODE_VERSION="24" NODE_MODULE="yarn" setup_nodejs
   ensure_dependencies f3d
   
   if check_for_gh_release "manyfold" "manyfold3d/manyfold"; then
@@ -65,6 +65,8 @@ function update_script() {
     msg_ok "Restored Data"
 
     msg_info "Installing Manyfold"
+    $STD npm install --global corepack
+    $STD corepack enable yarn
 
     sudo -u manyfold bash -c '
             source /opt/manyfold/.env

ct/matomo.sh

@@ -43,6 +43,16 @@ function update_script() {
 
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "matomo" "matomo-org/matomo" "prebuild" "latest" "/opt/matomo" "matomo-*.zip"
 
+    msg_info "Setting up Matomo"
+    if [[ -d /opt/matomo/matomo ]]; then
+      rm -rf /opt/matomo/tmp "/opt/matomo/How to install Matomo.html"
+      find /opt/matomo/matomo -mindepth 1 -maxdepth 1 -exec mv -t /opt/matomo {} +
+      rm -rf /opt/matomo/matomo
+    fi
+    mkdir -p /opt/matomo/tmp
+    chmod -R 755 /opt/matomo/tmp
+    msg_ok "Set up Matomo"
+
     msg_info "Restoring Data"
     if [[ -f /opt/matomo_config.bak ]]; then
       mkdir -p /opt/matomo/config
@@ -58,7 +68,16 @@ function update_script() {
     chown -R www-data:www-data /opt/matomo
     msg_ok "Restored Data"
 
+    if [[ -f /opt/matomo/console ]]; then
+      msg_info "Running Matomo database upgrade"
+      cd /opt/matomo
+      $STD runuser -u www-data -- php console core:update --no-interaction
+      msg_ok "Ran Matomo database upgrade"
+    fi
+
     msg_info "Starting Services"
+    PHP_VER=$(php -r 'echo PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION;')
+    systemctl restart "php${PHP_VER}-fpm"
     systemctl start caddy
     msg_ok "Started Services"
     msg_ok "Updated successfully!"

ct/metube.sh

@@ -41,7 +41,7 @@ function update_script() {
     fi
   fi
 
-  NODE_VERSION="24" NODE_MODULE="corepack,pnpm" setup_nodejs
+  NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs
 
   if check_for_gh_release "metube" "alexta69/metube"; then
     msg_info "Stopping Service"
@@ -60,7 +60,7 @@ function update_script() {
     msg_info "Building Frontend"
     cd /opt/metube/ui
     if command -v corepack >/dev/null 2>&1; then
-
+      $STD corepack enable
       $STD corepack prepare pnpm --activate || true
     fi
     echo 'onlyBuiltDependencies=*' >> .npmrc

ct/outline.sh

@@ -29,7 +29,7 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+  NODE_VERSION="24" setup_nodejs
 
   if check_for_gh_release "outline" "outline/outline"; then
     msg_info "Stopping Services"
@@ -48,7 +48,7 @@ function update_script() {
     export NODE_ENV=development
     export NODE_OPTIONS="--max-old-space-size=3584"
     export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+    $STD corepack enable
     $STD yarn install --immutable
     export NODE_ENV=production
     $STD yarn build

ct/plane.sh

@@ -30,8 +30,6 @@ function update_script() {
     exit 1
   fi
 
-  NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
-
   if check_for_gh_release "plane" "makeplane/plane"; then
     msg_info "Stopping Services"
     systemctl stop plane-api plane-worker plane-beat plane-live plane-space
@@ -51,7 +49,7 @@ function update_script() {
     cd /opt/plane
     export NODE_OPTIONS="--max-old-space-size=4096"
     export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+    $STD corepack enable pnpm
     $STD pnpm install --frozen-lockfile
     $STD pnpm turbo run build --filter=web --filter=admin --filter=space --filter=live
     msg_ok "Rebuilt Frontend"

ct/reactive-resume.sh

@@ -37,13 +37,13 @@ function update_script() {
     ensure_dependencies git
 
     cp /opt/reactive-resume/.env /opt/reactive-resume.env.bak
-    NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+    NODE_VERSION="24" setup_nodejs
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "reactive-resume" "amruthpillai/reactive-resume" "tarball" "latest" "/opt/reactive-resume"
 
     msg_info "Updating Reactive Resume (Patience)"
     cd /opt/reactive-resume
     export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+    corepack enable
     corepack prepare --activate
     export CI="true"
     export NODE_ENV="production"

ct/storyteller.sh

@@ -48,7 +48,7 @@ function update_script() {
     msg_info "Rebuilding Storyteller"
     cd /opt/storyteller
     export NODE_OPTIONS="--max-old-space-size=4096"
-
+    $STD corepack enable
     $STD corepack yarn install --network-timeout 600000
     $STD gcc -g -fPIC -rdynamic -shared web/sqlite/uuid.c -o web/sqlite/uuid.c.so
     export CI=1

ct/twenty.sh

@@ -31,8 +31,6 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
-
   if check_for_gh_release "twenty" "twentyhq/twenty"; then
     msg_info "Stopping Services"
     systemctl stop twenty-worker twenty-server
@@ -49,7 +47,7 @@ function update_script() {
     msg_info "Building Application"
     cd /opt/twenty
     export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+    $STD corepack enable
     $STD corepack prepare yarn@4.9.2 --activate
     export NODE_OPTIONS="--max-old-space-size=3072"
     $STD yarn install --immutable || $STD yarn install

install/bookorbit-install.sh

@@ -22,7 +22,7 @@ msg_ok "Installed Dependencies"
 
 PG_VERSION="16" PG_MODULES="pgvector" setup_postgresql
 PG_DB_NAME="bookorbit" PG_DB_USER="bookorbit" PG_DB_EXTENSIONS="uuid-ossp,pg_trgm,vector" setup_postgresql_db
-NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 setup_uv
 
 fetch_and_deploy_gh_release "bookorbit" "bookorbit/bookorbit" "tarball"
@@ -30,7 +30,7 @@ fetch_and_deploy_gh_release "bookorbit" "bookorbit/bookorbit" "tarball"
 msg_info "Building Application"
 cd /opt/bookorbit
 PNPM_VERSION=$(jq -r '.packageManager | ltrimstr("pnpm@")' /opt/bookorbit/package.json)
-
+$STD corepack enable
 $STD corepack prepare "pnpm@${PNPM_VERSION}" --activate
 $STD pnpm install --frozen-lockfile
 $STD pnpm --filter client run build-only

install/databasus-install.sh

@@ -23,7 +23,7 @@ msg_ok "Installed Dependencies"
 
 PG_VERSION="17" setup_postgresql
 setup_go
-NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 
 msg_info "Installing Database Clients"
 # Create PostgreSQL version symlinks for compatibility
@@ -56,7 +56,7 @@ fetch_and_deploy_gh_release "databasus" "databasus/databasus" "tarball" "latest"
 msg_info "Building Databasus (Patience)"
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
 cd /opt/databasus/frontend
-
+$STD corepack enable
 $STD corepack prepare pnpm@latest --activate
 $STD pnpm install --frozen-lockfile
 $STD pnpm run build

install/feishin-install.sh

@@ -19,14 +19,14 @@ $STD apt install -y \
   gettext-base
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 
 fetch_and_deploy_gh_release "feishin" "jeffvli/feishin" "tarball"
 
 msg_info "Building Feishin Web"
 cd /opt/feishin
 #PNPM_VERSION=$(jq -r '.packageManager | ltrimstr("pnpm@")' /opt/feishin/package.json)
-
+$STD corepack enable
 $STD corepack prepare "pnpm@10" --activate
 $STD pnpm install
 $STD pnpm run build:web

install/foldergram-install.sh

@@ -23,7 +23,7 @@ fetch_and_deploy_gh_release "foldergram" "foldergram/foldergram" "tarball"
 
 msg_info "Configuring Foldergram"
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+$STD corepack enable
 cd /opt/foldergram
 $STD pnpm install
 $STD pnpm run build

install/gramps-web-install.sh

@@ -38,7 +38,7 @@ $STD apt install -y \
 msg_ok "Installed Dependencies"
 
 PYTHON_VERSION="3.12" setup_uv
-NODE_VERSION="22" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="22" setup_nodejs
 
 fetch_and_deploy_gh_release "gramps-web-api" "gramps-project/gramps-web-api" "tarball" "latest" "/opt/gramps-web-api"
 fetch_and_deploy_gh_release "gramps-web" "gramps-project/gramps-web" "tarball" "latest" "/opt/gramps-web/frontend"
@@ -92,7 +92,7 @@ msg_ok "Installed Gramps Addons"
 
 cd /opt/gramps-web/frontend
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+$STD corepack enable
 $STD npm install
 $STD npm run build
 cd /opt/gramps-web-api

install/immich-install.sh

@@ -313,13 +313,14 @@ mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}
 
 fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.5" "$SRC_DIR"
 PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
-NODE_VERSION="24" NODE_MODULE="corepack,pnpm@${PNPM_VERSION}" setup_nodejs
+NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 
 msg_info "Installing Immich (patience)"
 
 cd "$SRC_DIR"/server
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
 export CI=1
+corepack enable
 
 # server build
 export SHARP_IGNORE_GLOBAL_LIBVIPS=true

install/invoiceshelf-install.sh

@@ -19,7 +19,7 @@ msg_ok "Installed Dependencies"
 
 PHP_VERSION="8.4" PHP_FPM="YES" PHP_MODULES="bcmath,gd,intl,xml,zip,pdo_pgsql,mbstring,curl,exif" setup_php
 setup_composer
-NODE_VERSION="24" NODE_MODULE="corepack,pnpm" setup_nodejs
+NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs
 PG_VERSION="16" setup_postgresql
 PG_DB_NAME="invoiceshelf" PG_DB_USER="invoiceshelf" setup_postgresql_db
 
@@ -40,7 +40,7 @@ sed -i "s|^DB_PASSWORD=.*|DB_PASSWORD=${PG_DB_PASS}|" .env
 COMPOSER_ALLOW_SUPERUSER=1 $STD composer install --no-dev --optimize-autoloader --no-interaction
 $STD php artisan key:generate --force
 if command -v corepack >/dev/null 2>&1; then
-
+  $STD corepack enable
   $STD corepack pnpm install
   $STD corepack pnpm run build
 else

install/linkwarden-install.sh

@@ -19,7 +19,7 @@ $STD apt install -y \
   build-essential
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="22" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="22" setup_nodejs
 PG_VERSION="16" setup_postgresql
 RUST_CRATES="monolith" setup_rust
 PG_DB_NAME="linkwardendb" PG_DB_USER="linkwarden" setup_postgresql_db
@@ -44,7 +44,7 @@ if [[ -f package.json ]]; then
   fi
 fi
 if command -v corepack >/dev/null 2>&1; then
-
+  $STD corepack enable
   $STD corepack prepare "yarn@${yarn_ver}" --activate || true
 fi
 $STD yarn

install/manyfold-install.sh

@@ -27,7 +27,7 @@ msg_ok "Installed Dependencies"
 setup_imagemagick
 PG_VERSION="16" setup_postgresql
 PG_DB_NAME="manyfold" PG_DB_USER="manyfold" setup_postgresql_db
-NODE_VERSION="24" NODE_MODULE="corepack,yarn" setup_nodejs
+NODE_VERSION="24" NODE_MODULE="yarn" setup_nodejs
 
 fetch_and_deploy_gh_release "manyfold" "manyfold3d/manyfold" "tarball" "latest" "/opt/manyfold/app"
 
@@ -66,7 +66,7 @@ gem install bundler
 bundle install
 gem install sidekiq
 gem install foreman
-
+corepack enable yarn
 rm -f /opt/manyfold/app/config/credentials.yml.enc
 corepack prepare $YARN_VERSION --activate
 corepack use $YARN_VERSION
@@ -81,7 +81,7 @@ msg_ok "Configured Manyfold"
 msg_info "Installing Manyfold"
 chown -R manyfold:manyfold {/home/manyfold,/opt/manyfold}
 chmod +x /opt/manyfold/user_setup.sh
-
+$STD npm install --global corepack
 $STD sudo -u manyfold bash /opt/manyfold/user_setup.sh
 rm -f /opt/manyfold/user_setup.sh
 msg_ok "Installed Manyfold"

install/metube-install.sh

@@ -23,7 +23,7 @@ $STD apt install -y \
 msg_ok "Installed Dependencies"
 
 PYTHON_VERSION="3.13" setup_uv
-NODE_VERSION="24" NODE_MODULE="corepack,pnpm" setup_nodejs
+NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs
 
 msg_info "Installing Deno"
 export DENO_INSTALL="/usr/local"
@@ -38,7 +38,7 @@ fetch_and_deploy_gh_release "metube" "alexta69/metube" "tarball" "latest"
 msg_info "Installing MeTube"
 cd /opt/metube/ui
 if command -v corepack >/dev/null 2>&1; then
-
+  $STD corepack enable
   $STD corepack prepare pnpm --activate || true
 fi
 echo 'onlyBuiltDependencies=*' >> .npmrc

install/outline-install.sh

@@ -20,7 +20,7 @@ $STD apt install -y \
   redis
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 PG_VERSION="16" setup_postgresql
 PG_DB_NAME="outline" PG_DB_USER="outline" setup_postgresql_db
 
@@ -39,7 +39,7 @@ sed -i "5s#URL=#URL=http://${LOCAL_IP}#g" /opt/outline/.env
 sed -i 's/FORCE_HTTPS=true/FORCE_HTTPS=false/g' /opt/outline/.env
 export NODE_OPTIONS="--max-old-space-size=3584"
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+$STD corepack enable
 $STD yarn install --immutable
 export NODE_ENV=production
 sed -i 's/NODE_ENV=development/NODE_ENV=production/g' /opt/outline/.env

install/plane-install.sh

@@ -32,7 +32,7 @@ $STD apt install -y \
   rabbitmq-server
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 PG_VERSION="16" setup_postgresql
 PG_DB_NAME="plane" PG_DB_USER="plane" setup_postgresql_db
 
@@ -90,7 +90,7 @@ for app in web admin space; do
 done
 export NODE_OPTIONS="--max-old-space-size=4096"
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+$STD corepack enable pnpm
 $STD pnpm install --frozen-lockfile
 $STD pnpm turbo run build --filter=web --filter=admin --filter=space --filter=live
 msg_ok "Built Frontend Apps"

install/reactive-resume-install.sh

@@ -15,7 +15,7 @@ update_os
 
 PG_VERSION="16" setup_postgresql
 PG_DB_NAME="reactive_resume" PG_DB_USER="reactive_resume" setup_postgresql_db
-NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 
 msg_info "Installing Dependencies"
 $STD apt install -y \
@@ -28,7 +28,7 @@ fetch_and_deploy_gh_release "reactive-resume" "amruthpillai/reactive-resume" "ta
 msg_info "Building Reactive Resume (Patience)"
 cd /opt/reactive-resume
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+corepack enable
 corepack prepare --activate
 export NODE_ENV="production"
 export CI="true"

install/storyteller-install.sh

@@ -24,7 +24,7 @@ $STD apt install -y \
   ffmpeg
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="22" NODE_MODULE="corepack,yarn" setup_nodejs
+NODE_VERSION="22" NODE_MODULE="yarn" setup_nodejs
 
 fetch_and_deploy_gh_release "readium" "readium/cli" "prebuild" "latest" "/opt/readium" "readium_linux_x86_64.tar.gz"
 ln -sf /opt/readium/readium /usr/local/bin/readium
@@ -32,7 +32,7 @@ fetch_and_deploy_gl_release "storyteller" "storyteller-platform/storyteller" "ta
 
 msg_info "Setting up Storyteller"
 cd /opt/storyteller
-
+$STD corepack enable
 $STD corepack yarn install --network-timeout 600000
 $STD gcc -g -fPIC -rdynamic -shared web/sqlite/uuid.c -o web/sqlite/uuid.c.so
 STORYTELLER_SECRET_KEY=$(openssl rand -base64 32)

install/tracearr-install.sh

@@ -17,13 +17,13 @@ msg_info "Installing Dependencies"
 $STD apt install -y redis-server
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 PG_VERSION="18" setup_postgresql
 
 msg_info "Installing pnpm"
 PNPM_VERSION="$(curl -fsSL "https://raw.githubusercontent.com/connorgallopo/Tracearr/refs/heads/main/package.json" | jq -r '.packageManager | split("@")[1]' | cut -d'+' -f1)"
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+$STD corepack enable pnpm
 $STD corepack prepare pnpm@${PNPM_VERSION} --activate
 msg_ok "Installed pnpm"
 

install/twenty-install.sh

@@ -21,14 +21,14 @@ msg_ok "Installed Dependencies"
 
 PG_VERSION="17" PG_MODULES="pgvector" setup_postgresql
 PG_DB_NAME="twenty_db" PG_DB_USER="twenty" PG_DB_SCHEMA_PERMS="true" PG_DB_EXTENSIONS="vector" setup_postgresql_db
-NODE_VERSION="24" NODE_MODULE="corepack" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 
 fetch_and_deploy_gh_release "twenty" "twentyhq/twenty" "tarball"
 
 msg_info "Building Application"
 cd /opt/twenty
 export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
+$STD corepack enable
 $STD corepack prepare yarn@4.9.2 --activate
 yarn install --immutable >/dev/null 2>&1 || $STD yarn install
 export NODE_OPTIONS="--max-old-space-size=4096"

install/wger-install.sh

@@ -31,7 +31,7 @@ msg_info "Setting up wger"
 mkdir -p /opt/wger/{static,media}
 chmod o+w /opt/wger/media
 cd /opt/wger
-
+$STD corepack enable
 $STD npm install
 $STD npm run build:css:sass
 $STD uv venv

misc/tools.func

@@ -24,7 +24,6 @@
 #   cleanup_tool_keyrings()          - Remove keyrings from all 3 locations
 #   stop_all_services()              - Stop services by pattern (e.g. "php*-fpm")
 #   verify_tool_version()            - Validate installed version matches expected
-#   version_matches_spec()           - Compare installed semver against spec (8.0 matches 8.0.40)
 #   cleanup_legacy_install()         - Remove nvm, rbenv, rustup, etc.
 #   prepare_repository_setup()       - Cleanup repos + keyrings + validate APT
 #   install_packages_with_retry()    - Install with 3 retries and APT refresh
@@ -283,7 +282,7 @@ get_cached_version() {
     cat "/var/cache/app-versions/${app}_version.txt"
     return 0
   fi
-  return 1
+  return 0
 }
 
 # ------------------------------------------------------------------------------
@@ -345,37 +344,6 @@ verify_tool_version() {
   return 0
 }
 
-# ------------------------------------------------------------------------------
-# Compare installed semver against a version spec at the spec's precision.
-# Returns: 0 if match (e.g. spec 8.0 matches installed 8.0.40), 1 otherwise
-# Usage: version_matches_spec "8.0.40" "8.0"
-# ------------------------------------------------------------------------------
-version_matches_spec() {
-  local installed="$1"
-  local spec="$2"
-  local spec_depth prefix i
-  local -a spec_parts installed_parts
-
-  [[ -n "$installed" && -n "$spec" ]] || return 1
-
-  IFS='.' read -ra spec_parts <<<"$spec"
-  spec_depth=${#spec_parts[@]}
-  ((spec_depth > 0)) || return 1
-
-  if ((spec_depth == 1)); then
-    [[ "${installed%%.*}" == "$spec" ]] && return 0
-    return 1
-  fi
-
-  IFS='.' read -ra installed_parts <<<"$installed"
-  prefix=""
-  for ((i = 0; i < spec_depth && i < ${#installed_parts[@]}; i++)); do
-    [[ -n "$prefix" ]] && prefix+="."
-    prefix+="${installed_parts[i]}"
-  done
-  [[ "$prefix" == "$spec" ]]
-}
-
 # ------------------------------------------------------------------------------
 # Clean up legacy installation methods (nvm, rbenv, rustup, etc.)
 # Usage: cleanup_legacy_install "nodejs" -> removes nvm
@@ -494,10 +462,10 @@ install_packages_with_retry() {
             fi
           fi
         done
+        # If some packages installed, consider partial success
         if [[ ${#failed[@]} -lt ${#packages[@]} ]]; then
           if [[ ${#failed[@]} -gt 0 ]]; then
-            msg_error "Partial install — failed packages: ${failed[*]}"
-            return 100
+            msg_warn "Partially installed. Failed packages: ${failed[*]}"
           fi
           return 0
         fi
@@ -652,15 +620,13 @@ remove_old_tool_version() {
   mysql)
     stop_all_services "mysql"
     $STD apt purge -y 'mysql*' >/dev/null 2>&1 || true
-    # Keep data directory for safety (remove manually if needed)
-    # rm -rf /var/lib/mysql 2>/dev/null || true
+    rm -rf /var/lib/mysql 2>/dev/null || true
     cleanup_tool_keyrings "mysql"
     ;;
   mongodb)
     stop_all_services "mongod"
     $STD apt purge -y 'mongodb*' >/dev/null 2>&1 || true
-    # Keep data directory for safety (remove manually if needed)
-    # rm -rf /var/lib/mongodb 2>/dev/null || true
+    rm -rf /var/lib/mongodb 2>/dev/null || true
     cleanup_tool_keyrings "mongodb"
     ;;
   node | nodejs)
@@ -705,8 +671,7 @@ remove_old_tool_version() {
   clickhouse)
     stop_all_services "clickhouse-server"
     $STD apt purge -y 'clickhouse*' >/dev/null 2>&1 || true
-    # Keep data directory for safety (remove manually if needed)
-    # rm -rf /var/lib/clickhouse 2>/dev/null || true
+    rm -rf /var/lib/clickhouse 2>/dev/null || true
     cleanup_tool_keyrings "clickhouse"
     ;;
   esac
@@ -730,8 +695,8 @@ should_update_tool() {
   # Get currently installed version
   current_version=$(is_tool_installed "$tool_name" 2>/dev/null) || return 0 # Not installed = needs install
 
-  # If versions match at the requested precision, no update needed
-  if version_matches_spec "$current_version" "$target_version"; then
+  # If versions are identical, no update needed
+  if [[ "$current_version" == "$target_version" ]]; then
     return 1 # No update needed
   fi
 
@@ -926,49 +891,6 @@ Suites: $distro_codename
 Components: main
 Architectures: $(dpkg --print-architecture)
 Signed-By: /usr/share/keyrings/deb.sury.org-php.gpg
-EOF
-    return 0
-    ;;
-
-  mysql)
-    if [[ -z "$gpg_key_url" ]]; then
-      msg_error "MySQL repository requires gpg_key_url"
-      return 65
-    fi
-
-    cleanup_old_repo_files "mysql"
-
-    if ! download_gpg_key "$gpg_key_url" "/etc/apt/keyrings/mysql.gpg" "dearmor"; then
-      msg_error "Failed to import MySQL GPG key"
-      return 7
-    fi
-
-    local distro_codename suite component
-    distro_codename=$(get_os_info codename)
-
-    if [[ "$distro_id" == "debian" ]]; then
-      case "$distro_codename" in
-      trixie | forky | sid) suite="bookworm" ;;
-      bookworm | bullseye) suite="$distro_codename" ;;
-      *) suite="bookworm" ;;
-      esac
-    else
-      suite=$(get_fallback_suite "$distro_id" "$distro_codename" "$repo_url")
-    fi
-
-    case "$version" in
-    8.4 | 8.4.*) component="mysql-8.4-lts" ;;
-    8.0 | 8.0.*) component="mysql-8.0" ;;
-    *) component="mysql-${version}" ;;
-    esac
-
-    cat <<EOF >/etc/apt/sources.list.d/mysql.sources
-Types: deb
-URIs: ${repo_url}/
-Suites: ${suite}
-Components: ${component}
-Architectures: $(dpkg --print-architecture)
-Signed-By: /etc/apt/keyrings/mysql.gpg
 EOF
     return 0
     ;;
@@ -1200,34 +1122,11 @@ get_system_arch() {
 
 # ------------------------------------------------------------------------------
 # Create temporary directory with automatic cleanup
-# Appends to a shared list so existing EXIT traps are preserved.
 # ------------------------------------------------------------------------------
-_tools_temp_dirs=()
-
-_tools_cleanup_temp_dirs() {
-  local d
-  for d in "${_tools_temp_dirs[@]}"; do
-    rm -rf "$d" 2>/dev/null || true
-  done
-}
-
-_tools_register_temp_cleanup() {
-  [[ "${_TOOLS_TEMP_TRAP_SET:-}" == "1" ]] && return 0
-  _TOOLS_TEMP_TRAP_SET=1
-  local existing
-  existing=$(trap -p EXIT 2>/dev/null | sed -n "s/^trap -- '\\(.*\\)' EXIT/\1/p" || true)
-  if [[ -n "$existing" && "$existing" != "_tools_cleanup_temp_dirs" ]]; then
-    trap "_tools_cleanup_temp_dirs; ${existing}" EXIT ERR INT TERM
-  else
-    trap _tools_cleanup_temp_dirs EXIT ERR INT TERM
-  fi
-}
-
 create_temp_dir() {
-  local tmp_dir
-  tmp_dir=$(mktemp -d) || return 1
-  _tools_temp_dirs+=("$tmp_dir")
-  _tools_register_temp_cleanup
+  local tmp_dir=$(mktemp -d)
+  # Set trap to cleanup on EXIT, ERR, INT, TERM
+  trap "rm -rf '$tmp_dir'" EXIT ERR INT TERM
   echo "$tmp_dir"
 }
 
@@ -2150,11 +2049,9 @@ setup_deb822_repo() {
     [[ -n "$enabled" ]] && echo "Enabled: $enabled"
   } >/etc/apt/sources.list.d/${name}.sources
 
-  if ! $STD apt update; then
-    msg_error "apt update failed after adding repository: ${name}"
-    msg_error "Hint: Verify suite '${suite}' and URI '${repo_url}' are valid for this distribution."
-    return 100
-  fi
+  $STD apt update || {
+    msg_warn "apt update failed after adding repository: ${name}"
+  }
 }
 
 # ------------------------------------------------------------------------------
@@ -2585,8 +2482,6 @@ check_for_gh_tag() {
 #   - Does not modify anything, only checks version state
 #   - Does not support pre-releases
 # ------------------------------------------------------------------------------
-TOOLS_GH_REL_JSON=""
-
 check_for_gh_release() {
   local app="$1"
   local source="$2"
@@ -2606,10 +2501,6 @@ check_for_gh_release() {
 
   ensure_dependencies jq
 
-  local gh_check_json
-  gh_check_json=$(mktemp /tmp/tools-gh-check-XXXXXX.json) || return 7
-  trap 'rm -f "$gh_check_json"' RETURN
-
   # Build auth header if token is available
   local header_args=()
   [[ -n "${GITHUB_TOKEN:-}" ]] && header_args=(-H "Authorization: Bearer $GITHUB_TOKEN")
@@ -2620,14 +2511,14 @@ check_for_gh_release() {
   # For pinned versions, query the specific release tag directly
   if [[ -n "$pinned_version_in" ]]; then
     local pinned_version_encoded="${pinned_version_in//\//%2F}"
-    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o "$gh_check_json" \
+    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gh_check.json \
       -H 'Accept: application/vnd.github+json' \
       -H 'X-GitHub-Api-Version: 2022-11-28' \
       "${header_args[@]}" \
       "https://api.github.com/repos/${source}/releases/tags/${pinned_version_encoded}" 2>/dev/null) || true
 
-    if [[ "$http_code" == "200" ]] && [[ -s "$gh_check_json" ]]; then
-      releases_json="[$(<"$gh_check_json")]"
+    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gh_check.json ]]; then
+      releases_json="[$(</tmp/gh_check.json)]"
     elif [[ "$http_code" == "401" ]]; then
       msg_error "GitHub API authentication failed (HTTP 401)."
       if [[ -n "${GITHUB_TOKEN:-}" ]]; then
@@ -2635,27 +2526,27 @@ check_for_gh_release() {
       else
         msg_error "The repository may require authentication. Try: export GITHUB_TOKEN=\"ghp_your_token\""
       fi
-      rm -f "$gh_check_json"
+      rm -f /tmp/gh_check.json
       return 22
     elif [[ "$http_code" == "403" ]]; then
       msg_error "GitHub API rate limit exceeded (HTTP 403)."
       msg_error "To increase the limit, export a GitHub token before running the script:"
       msg_error "  export GITHUB_TOKEN=\"ghp_your_token_here\""
-      rm -f "$gh_check_json"
+      rm -f /tmp/gh_check.json
       return 22
     fi
-    rm -f "$gh_check_json"
+    rm -f /tmp/gh_check.json
   fi
 
   if [[ -z "$pinned_version_in" ]]; then
-    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o "$gh_check_json" \
+    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gh_check.json \
       -H 'Accept: application/vnd.github+json' \
       -H 'X-GitHub-Api-Version: 2022-11-28' \
       "${header_args[@]}" \
       "https://api.github.com/repos/${source}/releases/latest" 2>/dev/null) || true
 
-    if [[ "$http_code" == "200" ]] && [[ -s "$gh_check_json" ]]; then
-      releases_json="[$(<"$gh_check_json")]"
+    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gh_check.json ]]; then
+      releases_json="[$(</tmp/gh_check.json)]"
     elif [[ "$http_code" == "401" ]]; then
       msg_error "GitHub API authentication failed (HTTP 401)."
       if [[ -n "${GITHUB_TOKEN:-}" ]]; then
@@ -2663,28 +2554,28 @@ check_for_gh_release() {
       else
         msg_error "The repository may require authentication. Try: export GITHUB_TOKEN=\"ghp_your_token\""
       fi
-      rm -f "$gh_check_json"
+      rm -f /tmp/gh_check.json
       return 22
     elif [[ "$http_code" == "403" ]]; then
       msg_error "GitHub API rate limit exceeded (HTTP 403)."
       msg_error "To increase the limit, export a GitHub token before running the script:"
       msg_error "  export GITHUB_TOKEN=\"ghp_your_token_here\""
-      rm -f "$gh_check_json"
+      rm -f /tmp/gh_check.json
       return 22
     fi
-    rm -f "$gh_check_json"
+    rm -f /tmp/gh_check.json
   fi
 
   # If no releases yet (pinned version OR /latest failed), fetch up to 100
   if [[ -z "$releases_json" ]]; then
-    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o "$gh_check_json" \
+    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gh_check.json \
       -H 'Accept: application/vnd.github+json' \
       -H 'X-GitHub-Api-Version: 2022-11-28' \
       "${header_args[@]}" \
       "https://api.github.com/repos/${source}/releases?per_page=100" 2>/dev/null) || true
 
-    if [[ "$http_code" == "200" ]] && [[ -s "$gh_check_json" ]]; then
-      releases_json=$(<"$gh_check_json")
+    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gh_check.json ]]; then
+      releases_json=$(</tmp/gh_check.json)
     elif [[ "$http_code" == "401" ]]; then
       msg_error "GitHub API authentication failed (HTTP 401)."
       if [[ -n "${GITHUB_TOKEN:-}" ]]; then
@@ -2692,25 +2583,25 @@ check_for_gh_release() {
       else
         msg_error "The repository may require authentication. Try: export GITHUB_TOKEN=\"ghp_your_token\""
       fi
-      rm -f "$gh_check_json"
+      rm -f /tmp/gh_check.json
       return 22
     elif [[ "$http_code" == "403" ]]; then
       msg_error "GitHub API rate limit exceeded (HTTP 403)."
       msg_error "To increase the limit, export a GitHub token before running the script:"
       msg_error "  export GITHUB_TOKEN=\"ghp_your_token_here\""
-      rm -f "$gh_check_json"
+      rm -f /tmp/gh_check.json
       return 22
     elif [[ "$http_code" == "000" || -z "$http_code" ]]; then
       msg_error "GitHub API connection failed (no response)."
       msg_error "Check your network/DNS: curl -sSL https://api.github.com/rate_limit"
-      rm -f "$gh_check_json"
+      rm -f /tmp/gh_check.json
       return 7
     else
       msg_error "Unable to fetch releases for ${app} (HTTP ${http_code})"
-      rm -f "$gh_check_json"
+      rm -f /tmp/gh_check.json
       return 22
     fi
-    rm -f "$gh_check_json"
+    rm -f /tmp/gh_check.json
   fi
 
   mapfile -t raw_tags < <(jq -r '.[] | select(.draft==false and .prerelease==false) | .tag_name' <<<"$releases_json")
@@ -3256,14 +3147,10 @@ fetch_and_deploy_codeberg_release() {
     return 6
   fi
 
-  local codeberg_rel_json
-  codeberg_rel_json=$(mktemp /tmp/tools-codeberg-rel-XXXXXX.json) || return 7
-  trap 'rm -f "$codeberg_rel_json"' RETURN
-
   local attempt=0 success=false resp http_code
 
   while ((attempt < ${#api_timeouts[@]})); do
-    resp=$(curl --connect-timeout 10 --max-time "${api_timeouts[$attempt]}" -fsSL -w "%{http_code}" -o "$codeberg_rel_json" "$api_url") && success=true && break
+    resp=$(curl --connect-timeout 10 --max-time "${api_timeouts[$attempt]}" -fsSL -w "%{http_code}" -o /tmp/codeberg_rel.json "$api_url") && success=true && break
     attempt=$((attempt + 1))
     if ((attempt < ${#api_timeouts[@]})); then
       msg_warn "API request timed out after ${api_timeouts[$((attempt - 1))]}s, retrying... (attempt $((attempt + 1))/${#api_timeouts[@]})"
@@ -3282,7 +3169,7 @@ fetch_and_deploy_codeberg_release() {
   }
 
   local json tag_name
-  json=$(<"$codeberg_rel_json")
+  json=$(</tmp/codeberg_rel.json)
 
   # For "latest", the API returns an array - take the first (most recent) release
   if [[ "$version" == "latest" ]]; then
@@ -3740,13 +3627,6 @@ fetch_and_deploy_gh_release() {
 
   ensure_dependencies jq
 
-  if [[ -n "${TOOLS_GH_REL_JSON:-}" && -f "$TOOLS_GH_REL_JSON" ]]; then
-    rm -f "$TOOLS_GH_REL_JSON"
-  fi
-  local gh_rel_json
-  gh_rel_json=$(mktemp /tmp/tools-gh-rel-XXXXXX.json) || return 7
-  TOOLS_GH_REL_JSON="$gh_rel_json"
-
   local api_url="https://api.github.com/repos/$repo/releases"
   [[ "$version" != "latest" ]] && api_url="$api_url/tags/$version" || api_url="$api_url/latest"
   local header=()
@@ -3763,7 +3643,7 @@ fetch_and_deploy_gh_release() {
   local max_retries=${#api_timeouts[@]} retry_delay=2 attempt=1 success=false http_code
 
   while ((attempt <= max_retries)); do
-    http_code=$(curl --connect-timeout 10 --max-time "${api_timeouts[$((attempt - 1))]:-240}" -sSL -w "%{http_code}" -o "$gh_rel_json" "${header[@]}" "$api_url" 2>/dev/null) || true
+    http_code=$(curl --connect-timeout 10 --max-time "${api_timeouts[$((attempt - 1))]:-240}" -sSL -w "%{http_code}" -o /tmp/gh_rel.json "${header[@]}" "$api_url" 2>/dev/null) || true
     if [[ "$http_code" == "200" ]]; then
       success=true
       break
@@ -3810,7 +3690,7 @@ fetch_and_deploy_gh_release() {
   fi
 
   local json tag_name
-  json=$(<"$gh_rel_json")
+  json=$(</tmp/gh_rel.json)
   tag_name=$(echo "$json" | jq -r '.tag_name // .name // empty')
   # Only strip leading 'v' when followed by a digit (e.g. v1.2.3), not words like "version/..."
   [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
@@ -4415,12 +4295,7 @@ setup_composer() {
 #   - Updates Docker Engine if newer version available
 #   - Interactive container update with multi-select
 #   - Portainer installation and update support
-#   - Set DOCKER_NONINTERACTIVE=1 to skip interactive prompts (CI/unattended)
 # ------------------------------------------------------------------------------
-_docker_is_noninteractive() {
-  [[ "${DOCKER_NONINTERACTIVE:-}" == "1" || "${DOCKER_NONINTERACTIVE:-}" == "true" || "${DOCKER_NONINTERACTIVE:-}" == "TRUE" ]] || [[ ! -t 0 ]]
-}
-
 setup_docker() {
   local docker_installed=false
   local portainer_installed=false
@@ -4560,25 +4435,21 @@ EOF
       PORTAINER_LATEST=$(curl -fsSL https://registry.hub.docker.com/v2/repositories/portainer/portainer-ce/tags?page_size=100 | grep -oP '"name":"\K[0-9]+\.[0-9]+\.[0-9]+"' | head -1 | tr -d '"')
 
       if [ "$PORTAINER_CURRENT" != "$PORTAINER_LATEST" ]; then
-        if _docker_is_noninteractive; then
-          msg_info "Skipping Portainer update prompt (non-interactive)"
-        else
-          read -r -p "${TAB3}Update Portainer $PORTAINER_CURRENT → $PORTAINER_LATEST? <y/N> " prompt
-          if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
-            msg_info "Updating Portainer"
-            docker stop portainer
-            docker rm portainer
-            docker pull portainer/portainer-ce:latest
-            docker run -d \
-              -p 9000:9000 \
-              -p 9443:9443 \
-              --name=portainer \
-              --restart=always \
-              -v /var/run/docker.sock:/var/run/docker.sock \
-              -v portainer_data:/data \
-              portainer/portainer-ce:latest
-            msg_ok "Updated Portainer to $PORTAINER_LATEST"
-          fi
+        read -r -p "${TAB3}Update Portainer $PORTAINER_CURRENT → $PORTAINER_LATEST? <y/N> " prompt
+        if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
+          msg_info "Updating Portainer"
+          docker stop portainer
+          docker rm portainer
+          docker pull portainer/portainer-ce:latest
+          docker run -d \
+            -p 9000:9000 \
+            -p 9443:9443 \
+            --name=portainer \
+            --restart=always \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v portainer_data:/data \
+            portainer/portainer-ce:latest
+          msg_ok "Updated Portainer to $PORTAINER_LATEST"
         fi
       else
         msg_ok "Portainer is up-to-date ($PORTAINER_CURRENT)"
@@ -4601,7 +4472,7 @@ EOF
   fi
 
   # Interactive Container Update Check
-  if [[ "${DOCKER_SKIP_UPDATES:-}" != "true" ]] && [ "$docker_installed" = true ] && ! _docker_is_noninteractive; then
+  if [[ "${DOCKER_SKIP_UPDATES:-}" != "true" ]] && [ "$docker_installed" = true ]; then
     msg_info "Checking for container updates"
 
     # Get list of running containers with update status
@@ -5375,15 +5246,15 @@ setup_hwaccel() {
 # ══════════════════════════════════════════════════════════════════════════════
 # Resolve the IGC tag that the latest compute-runtime was built against.
 # Must be called AFTER a fetch_and_deploy_gh_release for intel/compute-runtime
-# so that TOOLS_GH_REL_JSON contains the compute-runtime release metadata.
+# so that /tmp/gh_rel.json contains the compute-runtime release metadata.
 # Sets the variable named by $1 (default: igc_tag) to the discovered tag.
 # ══════════════════════════════════════════════════════════════════════════════
 _resolve_igc_tag() {
   local -n _out_ref="${1:-igc_tag}"
   _out_ref="latest"
-  if [[ -n "${TOOLS_GH_REL_JSON:-}" && -f "$TOOLS_GH_REL_JSON" ]]; then
+  if [[ -f /tmp/gh_rel.json ]]; then
     local _body _parsed
-    _body=$(jq -r '.body // empty' "$TOOLS_GH_REL_JSON" 2>/dev/null) || return 0
+    _body=$(jq -r '.body // empty' /tmp/gh_rel.json 2>/dev/null) || return 0
     _parsed=$(grep -oP 'intel-graphics-compiler/releases/tag/\K[^\s\)]+' <<<"$_body" | head -1)
     [[ -n "$_parsed" ]] && _out_ref="$_parsed"
   fi
@@ -5417,7 +5288,7 @@ _setup_intel_arc() {
     if [[ "$os_codename" == "trixie" || "$os_codename" == "sid" ]]; then
       msg_info "Fetching Intel compute-runtime from GitHub for Arc support"
 
-      # Fetch a compute-runtime package first so TOOLS_GH_REL_JSON is populated,
+      # Fetch a compute-runtime package first so /tmp/gh_rel.json is populated,
       # then resolve the matching IGC tag from the release notes.
       # libigdgmm - bundled in compute-runtime releases
       fetch_and_deploy_gh_release "libigdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb" || true
@@ -5481,7 +5352,7 @@ _setup_intel_modern() {
     if [[ "$os_codename" == "trixie" || "$os_codename" == "sid" ]]; then
       msg_info "Fetching Intel compute-runtime from GitHub"
 
-      # Fetch a compute-runtime package first so TOOLS_GH_REL_JSON is populated,
+      # Fetch a compute-runtime package first so /tmp/gh_rel.json is populated,
       # then resolve the matching IGC tag from the release notes.
       # libigdgmm first (bundled in compute-runtime releases)
       fetch_and_deploy_gh_release "libigdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb" || true
@@ -6535,7 +6406,7 @@ EOF
   fi
 
   # Scenario 1: Already installed at target version - just update packages
-  if [[ -n "$CURRENT_VERSION" ]] && version_matches_spec "$CURRENT_VERSION" "$MARIADB_VERSION"; then
+  if [[ -n "$CURRENT_VERSION" && "$CURRENT_VERSION" == "$MARIADB_VERSION" ]]; then
     msg_info "Update MariaDB $MARIADB_VERSION"
 
     # Ensure APT is working
@@ -6567,7 +6438,7 @@ EOF
   fi
 
   # Scenario 2b: Different version installed - clean upgrade
-  if [[ -n "$CURRENT_VERSION" ]] && ! version_matches_spec "$CURRENT_VERSION" "$MARIADB_VERSION"; then
+  if [[ -n "$CURRENT_VERSION" && "$CURRENT_VERSION" != "$MARIADB_VERSION" ]]; then
     msg_info "Upgrade MariaDB from $CURRENT_VERSION to $MARIADB_VERSION"
     remove_old_tool_version "mariadb"
   fi
@@ -6856,13 +6727,24 @@ setup_meilisearch() {
         fi
       fi
 
+      # If migration is needed but dump failed, we have options:
+      # 1. Abort the update (safest, but annoying)
+      # 2. Backup data directory and proceed (allows manual recovery)
+      # 3. Just proceed and hope for the best (dangerous)
+      # We choose option 2: backup and proceed with warning
       if [[ "$NEEDS_MIGRATION" == "true" ]] && [[ -z "$DUMP_UID" ]]; then
-        msg_error "MeiliSearch migration requires a successful dump before upgrade"
-        msg_error "Ensure the service is running and master_key is configured, or set MEILISEARCH_SKIP_MIGRATION=1 to force (data loss risk)"
-        if [[ "${MEILISEARCH_SKIP_MIGRATION:-}" != "1" ]]; then
-          return 100
+        local MEILI_DB_PATH
+        MEILI_DB_PATH=$(grep -E "^db_path\s*=" /etc/meilisearch.toml 2>/dev/null | sed 's/.*=\s*"\(.*\)"/\1/' | tr -d ' ' || true)
+        MEILI_DB_PATH="${MEILI_DB_PATH:-/var/lib/meilisearch/data}"
+
+        if [[ -d "$MEILI_DB_PATH" ]] && [[ -n "$(ls -A "$MEILI_DB_PATH" 2>/dev/null)" ]]; then
+          local BACKUP_PATH="${MEILI_DB_PATH}.backup.$(date +%Y%m%d%H%M%S)"
+          msg_warn "Backing up MeiliSearch data to ${BACKUP_PATH}"
+          mv "$MEILI_DB_PATH" "$BACKUP_PATH"
+          mkdir -p "$MEILI_DB_PATH"
+          msg_info "Data backed up. After update, you may need to reindex your data."
+          msg_info "Old data is preserved at: ${BACKUP_PATH}"
         fi
-        msg_warn "MEILISEARCH_SKIP_MIGRATION=1 — proceeding without dump (manual reindex may be required)"
       fi
 
       # Stop service and update binary
@@ -7271,7 +7153,7 @@ setup_mysql() {
 
   # Scenario 2: Use official MySQL repository (USE_MYSQL_REPO=true)
   # Scenario 2a: Already at target version - just update packages
-  if [[ -n "$CURRENT_VERSION" ]] && version_matches_spec "$CURRENT_VERSION" "$MYSQL_VERSION"; then
+  if [[ -n "$CURRENT_VERSION" && "$CURRENT_VERSION" == "$MYSQL_VERSION" ]]; then
     msg_info "Update MySQL $MYSQL_VERSION"
 
     ensure_apt_working || return 100
@@ -7287,7 +7169,7 @@ setup_mysql() {
   fi
 
   # Scenario 2: Different version installed - clean upgrade
-  if [[ -n "$CURRENT_VERSION" ]] && ! version_matches_spec "$CURRENT_VERSION" "$MYSQL_VERSION"; then
+  if [[ -n "$CURRENT_VERSION" && "$CURRENT_VERSION" != "$MYSQL_VERSION" ]]; then
     msg_info "Upgrade MySQL from $CURRENT_VERSION to $MYSQL_VERSION"
     remove_old_tool_version "mysql"
   else
@@ -7401,18 +7283,13 @@ EOF
 #   - Optionally installs or updates global npm modules
 #
 # Variables:
-#   NODE_VERSION          - Node.js version to install (default: 24 LTS)
-#   NODE_MODULE           - Comma-separated global modules (e.g. "yarn,corepack,pnpm@10")
-#   NODE_COREPACK_ENABLE  - Run corepack enable after install (default: 1 when corepack is used)
+#   NODE_VERSION   - Node.js version to install (default: 24 LTS)
+#   NODE_MODULE    - Comma-separated list of global modules (e.g. "yarn,@vue/cli@5.0.0")
 # ------------------------------------------------------------------------------
 
 setup_nodejs() {
   local NODE_VERSION="${NODE_VERSION:-24}"
   local NODE_MODULE="${NODE_MODULE:-}"
-  local NODE_COREPACK_ENABLE="${NODE_COREPACK_ENABLE:-1}"
-  local node_major="${NODE_VERSION%%.*}"
-  local wants_corepack=0
-  local node_setup_ok_msg=""
 
   # ALWAYS clean up legacy installations first (nvm, etc.) to prevent conflicts
   cleanup_legacy_install "nodejs"
@@ -7439,17 +7316,18 @@ setup_nodejs() {
     # Upgrade to the latest minor/patch release from NodeSource
     $STD apt-get install -y --only-upgrade nodejs 2>/dev/null || true
 
+    # Pin npm to 11.11.0 to work around Node.js 22.22.2 regression (nodejs/node#62425)
+    $STD npm install -g npm@11.11.0 2>/dev/null || true
+
     cache_installed_version "nodejs" "$NODE_VERSION"
     msg_ok "Update Node.js $NODE_VERSION"
   else
     # Scenario 2: Different version installed - clean upgrade
     if [[ -n "$CURRENT_NODE_VERSION" && "$CURRENT_NODE_VERSION" != "$NODE_VERSION" ]]; then
       msg_info "Upgrade Node.js from $CURRENT_NODE_VERSION to $NODE_VERSION"
-      node_setup_ok_msg="Upgrade Node.js to $NODE_VERSION"
       remove_old_tool_version "nodejs"
     else
       msg_info "Setup Node.js $NODE_VERSION"
-      node_setup_ok_msg="Setup Node.js $NODE_VERSION"
     fi
 
     # Remove ALL Debian nodejs packages BEFORE adding NodeSource repo
@@ -7458,7 +7336,6 @@ setup_nodejs() {
       $STD apt purge -y nodejs nodejs-doc libnode* node-* 2>/dev/null || true
       $STD apt autoremove -y 2>/dev/null || true
       $STD apt clean 2>/dev/null || true
-      msg_ok "Removed Debian-packaged Node.js"
     fi
 
     # Remove any APT pinning (not needed)
@@ -7504,19 +7381,17 @@ setup_nodejs() {
       return 127
     fi
 
-    cache_installed_version "nodejs" "$NODE_VERSION"
-    msg_ok "$node_setup_ok_msg"
-  fi
-
-  # Node 22.22.2 bundles npm 10.9.7 which cannot self-upgrade (nodejs/node#62425)
-  if [[ "$NODE_VERSION" == "22" && "$(npm -v 2>/dev/null)" == "10.9.7" ]]; then
-    msg_info "Updating npm (Node 22 regression fix)"
-    $STD npm install -g npm@10.9.8 2>/dev/null || true
-    if $STD npm install -g npm@latest 2>/dev/null; then
-      msg_ok "Updated npm ($(npm -v))"
-    else
-      msg_warn "npm update failed on Node 22.22.2"
+    # Pin npm to 11.11.0 to work around Node.js 22.22.2 regression (nodejs/node#62425)
+    local NPM_VERSION
+    NPM_VERSION=$(npm -v 2>/dev/null || echo "0")
+    if [[ "$NPM_VERSION" != "0" ]]; then
+      $STD npm install -g npm@11.11.0 2>/dev/null || {
+        msg_warn "Failed to update npm to 11.11.0 (continuing with bundled npm $NPM_VERSION)"
+      }
     fi
+
+    cache_installed_version "nodejs" "$NODE_VERSION"
+    msg_ok "Setup Node.js $NODE_VERSION"
   fi
 
   # Set a safe default heap limit for Node.js builds if not explicitly provided.
@@ -7561,18 +7436,12 @@ setup_nodejs() {
   }
 
   # Install global Node modules
-  if [[ -n "$NODE_MODULE" ]] || (( node_major >= 25 )); then
-    if (( node_major >= 25 )) && [[ ",${NODE_MODULE}," != *",corepack,"* ]] && [[ "$NODE_MODULE" != corepack* ]]; then
-      NODE_MODULE="${NODE_MODULE:+$NODE_MODULE,}corepack"
-    fi
-
+  if [[ -n "$NODE_MODULE" ]]; then
     IFS=',' read -ra MODULES <<<"$NODE_MODULE"
 
+    # Pin pnpm to v10 to avoid breaking changes from newer major versions
     for i in "${!MODULES[@]}"; do
-      if [[ "${MODULES[$i]}" == "corepack" || "${MODULES[$i]}" == corepack@* ]]; then
-        wants_corepack=1
-      fi
-      if [[ "${MODULES[$i]}" == "pnpm" ]]; then
+      if [[ "${MODULES[$i]}" =~ ^pnpm(@.*)?$ ]]; then
         MODULES[$i]="pnpm@^10"
       fi
     done
@@ -7598,43 +7467,33 @@ setup_nodejs() {
       if $STD npm list -g --depth=0 "$MODULE_NAME" 2>&1 | grep -q "$MODULE_NAME@"; then
         MODULE_INSTALLED_VERSION="$(npm list -g --depth=0 "$MODULE_NAME" 2>&1 | grep "$MODULE_NAME@" | awk -F@ '{print $2}' 2>/dev/null | tr -d '[:space:]' || echo '')"
         if [[ "$MODULE_REQ_VERSION" != "latest" && "$MODULE_REQ_VERSION" != "$MODULE_INSTALLED_VERSION" ]]; then
-          msg_info "Updating $MODULE_NAME to v$MODULE_REQ_VERSION"
-          if $STD npm install -g "${MODULE_NAME}@${MODULE_REQ_VERSION}" 2>/dev/null; then
-            msg_ok "Updated $MODULE_NAME"
-          else
+          msg_info "Updating $MODULE_NAME from v$MODULE_INSTALLED_VERSION to v$MODULE_REQ_VERSION"
+          if ! $STD npm install -g "${MODULE_NAME}@${MODULE_REQ_VERSION}" 2>/dev/null; then
             msg_warn "Failed to update $MODULE_NAME to version $MODULE_REQ_VERSION"
             ((failed_modules++)) || true
+            continue
           fi
         elif [[ "$MODULE_REQ_VERSION" == "latest" ]]; then
           msg_info "Updating $MODULE_NAME to latest version"
-          if $STD npm install -g "${MODULE_NAME}@latest" 2>/dev/null; then
-            msg_ok "Updated $MODULE_NAME"
-          else
+          if ! $STD npm install -g "${MODULE_NAME}@latest" 2>/dev/null; then
             msg_warn "Failed to update $MODULE_NAME to latest version"
             ((failed_modules++)) || true
+            continue
           fi
         fi
       else
         msg_info "Installing $MODULE_NAME@$MODULE_REQ_VERSION"
-        if $STD npm install -g "${MODULE_NAME}@${MODULE_REQ_VERSION}" 2>/dev/null; then
-          msg_ok "Installed $MODULE_NAME"
-        else
+        if ! $STD npm install -g "${MODULE_NAME}@${MODULE_REQ_VERSION}" 2>/dev/null; then
           msg_warn "Failed to install $MODULE_NAME@$MODULE_REQ_VERSION"
           ((failed_modules++)) || true
+          continue
         fi
       fi
     done
-    if (( failed_modules > 0 )); then
-      msg_warn "$failed_modules Node.js module(s) failed: $NODE_MODULE"
-    fi
-  fi
-
-  if [[ "$NODE_COREPACK_ENABLE" == "1" ]] && (( wants_corepack )) && command -v corepack >/dev/null 2>&1; then
-    msg_info "Enabling corepack"
-    if $STD corepack enable 2>/dev/null; then
-      msg_ok "Enabled corepack"
+    if [[ $failed_modules -eq 0 ]]; then
+      msg_ok "Installed Node.js modules: $NODE_MODULE"
     else
-      msg_warn "corepack enable failed"
+      msg_warn "Installed Node.js modules with $failed_modules failure(s): $NODE_MODULE"
     fi
   fi
 }
@@ -8677,10 +8536,13 @@ setup_uv() {
   local UV_BIN="/usr/local/bin/uv"
   local UVX_BIN="/usr/local/bin/uvx"
   local TMP_DIR=$(mktemp -d)
+  local CACHED_VERSION
 
   # trap for TMP Cleanup
   trap "rm -rf '$TMP_DIR'" EXIT
 
+  CACHED_VERSION=$(get_cached_version "uv")
+
   # Architecture Detection
   local ARCH=$(uname -m)
   local OS_TYPE=""
@@ -9156,10 +9018,6 @@ check_for_gl_release() {
 
   ensure_dependencies jq
 
-  local gl_check_json
-  gl_check_json=$(mktemp /tmp/tools-gl-check-XXXXXX.json) || return 7
-  trap 'rm -f "$gl_check_json"' RETURN
-
   local repo_encoded
   repo_encoded=$(printf '%s' "$source" | sed 's|/|%2F|g')
 
@@ -9171,23 +9029,23 @@ check_for_gl_release() {
   # For pinned versions, try to fetch the specific release tag first
   if [[ -n "$pinned_version_in" ]]; then
     local pinned_encoded="${pinned_version_in//\//%2F}"
-    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o "$gl_check_json" \
+    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gl_check.json \
       "${header[@]}" \
       "https://gitlab.com/api/v4/projects/$repo_encoded/releases/$pinned_encoded" 2>/dev/null) || true
-    if [[ "$http_code" == "200" ]] && [[ -s "$gl_check_json" ]]; then
-      releases_json="[$(<"$gl_check_json")]"
+    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gl_check.json ]]; then
+      releases_json="[$(</tmp/gl_check.json)]"
     fi
-    rm -f "$gl_check_json"
+    rm -f /tmp/gl_check.json
   fi
 
   # Fetch full releases list if needed
   if [[ -z "$releases_json" ]]; then
-    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o "$gl_check_json" \
+    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gl_check.json \
       "${header[@]}" \
       "https://gitlab.com/api/v4/projects/$repo_encoded/releases?per_page=100&order_by=released_at&sort=desc" 2>/dev/null) || true
 
-    if [[ "$http_code" == "200" ]] && [[ -s "$gl_check_json" ]]; then
-      releases_json=$(<"$gl_check_json")
+    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gl_check.json ]]; then
+      releases_json=$(</tmp/gl_check.json)
     elif [[ "$http_code" == "401" ]]; then
       msg_error "GitLab API authentication failed (HTTP 401)."
       if [[ -n "${GITLAB_TOKEN:-}" ]]; then
@@ -9195,28 +9053,28 @@ check_for_gl_release() {
       else
         msg_error "The repository may require authentication. Try: export GITLAB_TOKEN=\"glpat-your_token\""
       fi
-      rm -f "$gl_check_json"
+      rm -f /tmp/gl_check.json
       return 22
     elif [[ "$http_code" == "404" ]]; then
       msg_error "GitLab project not found (HTTP 404). Ensure '${source}' is correct and publicly accessible."
-      rm -f "$gl_check_json"
+      rm -f /tmp/gl_check.json
       return 22
     elif [[ "$http_code" == "429" ]]; then
       msg_error "GitLab API rate limit exceeded (HTTP 429)."
       msg_error "To increase the limit, export a GitLab token: export GITLAB_TOKEN=\"glpat-your_token_here\""
-      rm -f "$gl_check_json"
+      rm -f /tmp/gl_check.json
       return 22
     elif [[ "$http_code" == "000" || -z "$http_code" ]]; then
       msg_error "GitLab API connection failed (no response)."
       msg_error "Check your network/DNS: curl -sSL https://gitlab.com/api/v4/version"
-      rm -f "$gl_check_json"
+      rm -f /tmp/gl_check.json
       return 7
     else
       msg_error "Unable to fetch releases for ${app} (HTTP ${http_code})"
-      rm -f "$gl_check_json"
+      rm -f /tmp/gl_check.json
       return 22
     fi
-    rm -f "$gl_check_json"
+    rm -f /tmp/gl_check.json
   fi
 
   mapfile -t raw_tags < <(jq -r '.[] | .tag_name' <<<"$releases_json")
@@ -9436,10 +9294,6 @@ fetch_and_deploy_gl_release() {
 
   ensure_dependencies jq
 
-  local gl_rel_json
-  gl_rel_json=$(mktemp /tmp/tools-gl-rel-XXXXXX.json) || return 7
-  trap 'rm -f "$gl_rel_json"' RETURN
-
   local repo_encoded
   repo_encoded=$(printf '%s' "$repo" | sed 's|/|%2F|g')
 
@@ -9457,7 +9311,7 @@ fetch_and_deploy_gl_release() {
   local max_retries=3 retry_delay=2 attempt=1 success=false http_code
 
   while ((attempt <= max_retries)); do
-    http_code=$(curl $api_timeout -sSL -w "%{http_code}" -o "$gl_rel_json" "${header[@]}" "$api_url" 2>/dev/null) || true
+    http_code=$(curl $api_timeout -sSL -w "%{http_code}" -o /tmp/gl_rel.json "${header[@]}" "$api_url" 2>/dev/null) || true
     if [[ "$http_code" == "200" ]]; then
       success=true
       break
@@ -9498,7 +9352,7 @@ fetch_and_deploy_gl_release() {
   fi
 
   local json tag_name
-  json=$(<"$gl_rel_json")
+  json=$(</tmp/gl_rel.json)
 
   if [[ "$version" == "latest" ]]; then
     json=$(echo "$json" | jq '.[0] // empty')