Releases: G-Rath/osv-detector
v0.13.0
This version has a number of stuff because I apparently forgot to do a release for a while! In addition to a few fixes around NPM and Yarn, this adds support for two completely new lockfile formats (renv.lock
and pdm.lock
) and v9 of PNPM lockfiles.
It also introduces a new --update-config-ignores
flag to make it easier to (re)generate config ignores, which is pretty handy!
What's Changed
- support versions with build metadata in
yarn.lock
files (#227) - handle aliased packages in lockfiles for npm and yarn (#233)
- support parsing
renv.lock
files (#243) - support parsing
pdm.lock
files (#245) - update to Go 1.21 (#246)
- support PNPM v9 lockfiles (#251)
- update YAML library to v3 (#252)
- support updating config ignores with
--update-config-ignores
(#248)
Full Changelog: v0.12.0...v0.13.0
v0.12.0
This version changes how the detector checks advisories to greatly reduce the amount of work it does meaning performance scales a lot better as the size of databases grow - this does mean the detector no longer loads advisories that have no affected packages, but that shouldn't be a problem since the detector can't do anything with those advisories anyway; we also cache regexp compiles which in particular make version parsing faster though this will probably only be noticeable if you're using the detector as a library to check a huge number of versions.
Speaking of library users, the detector is now using Go v1.20, so you'll need to update if you're not already on that version of Go. We've also got a few fixes for PNPM lockfiles.
What's Changed
- use go v1.20 (#204)
- use a map to track which advisories should be checked for which packages (#216)
- cache regexp compiles (#213)
- support peer dependencies in v6 versions of PNPM lockfiles (#209)
- properly parse pre-release versions in PNPM lockfiles (#211)
Full Changelog: v0.11.2...v0.12.0
v0.11.2
v0.11.1
What's Changed
- don't panic on empty
pnpm-lock.yaml
files (#191) - improve warning message when parsing invalid Maven poms (#192)
- handle cyclical
-r
s inrequirements.txt
files (#193) - handle line continuations in
requirements.txt
files (#195) - handle requirements with options in
requirements.txt
(#196)
Full Changelog: v0.11.0...v0.11.1
v0.11.0
v0.10.4
What's Changed
- support Pipenv
develop
packages without a version (#186) - avoid infinite loops parsing Maven poms with syntax errors (#188)
Full Changelog: v0.10.3...v0.10.4
v0.10.3
What's Changed
- trim leading zeros off when comparing numerical components in Maven versions (#179)
Full Changelog: v0.10.2...v0.10.3
v0.10.2
What's Changed
- update to the latest patch version of go v1.17 (#178)
Full Changelog: v0.10.1...v0.10.2
v0.10.1
What's Changed
- support
yarn.lock
files with quoted properties (#170) - avoid panic when parsing
file:
dependencies inpnpm
lockfiles (#171) - deduplicate packages that appear multiple times in
Pipenv.lock
files (#172) - properly handle comparing zero versions in Maven (#173)
Full Changelog: v0.10.0...v0.10.1
v0.10.0
What's Changed
- support parsing Gradle lockfiles (#164)
- support parsing NuGet
packages.lock.json
lockfiles (#165) - support parsing PyPi
Pipfile.lock
lockfiles (#166)
Full Changelog: v0.9.1...v0.10.0