Overview
The Plugins page is available at System → Plugins. It is the central place to install, update, and monitor curated runtime tools that Git Web Manager can manage on your behalf — starting with the Node.js LTS runtime and the PM2 process manager.
- Install — download and configure a plugin directly from within GWM, no SSH required.
- Update — apply the latest version with one click, or enable Auto-update to let GWM handle it overnight.
- Vulnerability scanning — click Check for Updates to run live security checks and surface advisories before they become incidents.
Plugins are stored in storage/plugins/ and are excluded from git to avoid being wiped by git clean during application updates.
Node.js Runtime
The Node.js Runtime plugin manages a GWM-owned LTS binary stored at storage/node-runtime/. This is the same runtime used by the Node.js Process Manager and by npm-based deployments.
- Install — downloads the current LTS release directly from
nodejs.organd extracts it intostorage/node-runtime/. No root or package manager access is needed. - Update — replaces the installed binary with the latest LTS version.
- Uninstall — removes the GWM-managed runtime. Does not affect any system-level Node.js installation.
The Install Source column on Runtime Diagnostics indicates whether the active binary is the GWM-managed one or a system installation found on PATH.
Vulnerability checking for the Node.js Runtime compares the installed version against the current LTS release from nodejs.org/dist/index.json. Older Node.js versions frequently contain CVEs, so keeping it current is recommended.
PM2 Process Manager
PM2 is a production-grade Node.js process manager with crash-restart supervision, a persistent process table, and log management. GWM installs PM2 into storage/plugins/pm2/ using the bundled npm, keeping it fully isolated from any globally installed PM2.
- Install — runs
npm install pm2using the GWM-managed Node.js binary and npm. - Update — upgrades to the latest published PM2 release via
npm install pm2@latest. - Uninstall — removes the
storage/plugins/pm2/directory entirely.
Once installed, PM2 is available at storage/plugins/pm2/node_modules/pm2/bin/pm2 and can be invoked through GWM or directly from the command line using the bundled Node.js binary.
Vulnerability checking runs npm audit --json against the PM2 package tree and surfaces any high or critical severity advisories.
GWM's built-in Node.js Process Manager provides supervised per-project process launching without requiring PM2. PM2 is an optional plugin for teams that want its extended feature set — persistent process lists, cluster mode, metrics, and log rotation.
Checking for Updates
Click Check for Updates at the top of the Plugins page to run a live check across all installed plugins:
- Fetches the latest available version from each plugin's upstream registry (
nodejs.orgfor Node.js,registry.npmjs.orgfor PM2). - Compares it against the installed version and marks any plugin with a newer release as Update Available.
- Runs vulnerability scans for all installed plugins and displays any advisories inline on the plugin card.
- Updates the Last Checked timestamp shown on each card.
Vulnerability checks are not run on page load because they involve live HTTP calls and npm audit. Trigger them explicitly with the Check for Updates button, or let the daily scheduled job handle it.
Auto-Update
Each plugin card has an Auto-update toggle. When enabled, GWM will automatically install available updates during the nightly maintenance window.
- The
plugins:check-updatesArtisan command runs daily at 03:00 via the Laravel scheduler. - It queries the upstream registry for each plugin, compares versions, and runs the update if one is available and Auto-update is on.
- Results are recorded in the plugin's database record — installed version, latest version, and last checked timestamp.
Auto-update runs the same install path as the manual Update button. If the update fails, the plugin record is set to an error state and the previous version remains in place.
Confirm the scheduler is running before relying on Auto-update. Go to System → Scheduler & Queue and verify the heartbeat is active.
Vulnerability Alerts
When a vulnerability is detected, a red advisory block appears on the plugin card listing the affected packages and severity levels. Advisories come from two sources:
- Node.js Runtime — version comparison against the current LTS. Any installed version that is behind the latest LTS generates a warning, as older Node.js versions commonly carry unpatched CVEs.
- PM2 —
npm auditrun against the installed PM2 dependency tree. Only high and critical severity advisories are reported.
The recommended response is to click Update on the affected plugin card, or enable Auto-update to prevent the same issue from recurring.
Status Reference
| Status | Meaning |
|---|---|
| Not Installed | The plugin binary is not present. Click Install to set it up. |
| Installing | Download and setup is in progress. |
| Installed | Plugin is ready. Version info is shown on the card. |
| Updating | An update is being applied. |
| Update Available | A newer version exists upstream. Shown after Check for Updates. |
| Error | The last operation failed. The error message is shown on the card. |