Releases: G-Rath/osv-detector
v0.13.1
In addition to a couple of bug fixes, this version also includes a few refactors mainly to semantic removing checks that were not actually needed - in theory it should mean things are slightly faster and smaller, but it'll probably be too small to notice in practice; the more exciting win is the "increase" in test coverage 🥳
What's Changed
- don't panic on
pnpmlockfiles with an invalid path (#280) - process managed dependencies before standard dependencies when parsing
pom.xmls (#279) - switch to slightly more efficient ways of building strings in a couple of places (#273)
- simplify comparing of RubyGem version components (#275)
- simplify comparing of "pre" letters in PyPI versions (#278)
- remove unneeded condition in PyPI version comparator (#274)
- remove unneeded logic in parsing semver-like versions (#277)
Full Changelog: v0.13.0...v0.13.1
v0.13.0
This version has a number of stuff because I apparently forgot to do a release for a while! In addition to a few fixes around NPM and Yarn, this adds support for two completely new lockfile formats (renv.lock and pdm.lock) and v9 of PNPM lockfiles.
It also introduces a new --update-config-ignores flag to make it easier to (re)generate config ignores, which is pretty handy!
What's Changed
- support versions with build metadata in
yarn.lockfiles (#227) - handle aliased packages in lockfiles for npm and yarn (#233)
- support parsing
renv.lockfiles (#243) - support parsing
pdm.lockfiles (#245) - update to Go 1.21 (#246)
- support PNPM v9 lockfiles (#251)
- update YAML library to v3 (#252)
- support updating config ignores with
--update-config-ignores(#248)
Full Changelog: v0.12.0...v0.13.0
v0.12.0
This version changes how the detector checks advisories to greatly reduce the amount of work it does meaning performance scales a lot better as the size of databases grow - this does mean the detector no longer loads advisories that have no affected packages, but that shouldn't be a problem since the detector can't do anything with those advisories anyway; we also cache regexp compiles which in particular make version parsing faster though this will probably only be noticeable if you're using the detector as a library to check a huge number of versions.
Speaking of library users, the detector is now using Go v1.20, so you'll need to update if you're not already on that version of Go. We've also got a few fixes for PNPM lockfiles.
What's Changed
- use go v1.20 (#204)
- use a map to track which advisories should be checked for which packages (#216)
- cache regexp compiles (#213)
- support peer dependencies in v6 versions of PNPM lockfiles (#209)
- properly parse pre-release versions in PNPM lockfiles (#211)
Full Changelog: v0.11.2...v0.12.0
v0.11.2
v0.11.1
What's Changed
- don't panic on empty
pnpm-lock.yamlfiles (#191) - improve warning message when parsing invalid Maven poms (#192)
- handle cyclical
-rs inrequirements.txtfiles (#193) - handle line continuations in
requirements.txtfiles (#195) - handle requirements with options in
requirements.txt(#196)
Full Changelog: v0.11.0...v0.11.1
v0.11.0
v0.10.4
What's Changed
- support Pipenv
developpackages without a version (#186) - avoid infinite loops parsing Maven poms with syntax errors (#188)
Full Changelog: v0.10.3...v0.10.4
v0.10.3
What's Changed
- trim leading zeros off when comparing numerical components in Maven versions (#179)
Full Changelog: v0.10.2...v0.10.3
v0.10.2
What's Changed
- update to the latest patch version of go v1.17 (#178)
Full Changelog: v0.10.1...v0.10.2
v0.10.1
What's Changed
- support
yarn.lockfiles with quoted properties (#170) - avoid panic when parsing
file:dependencies inpnpmlockfiles (#171) - deduplicate packages that appear multiple times in
Pipenv.lockfiles (#172) - properly handle comparing zero versions in Maven (#173)
Full Changelog: v0.10.0...v0.10.1