Releases: G-Rath/osv-detector
v0.16.2
v0.16.1
What's Changed
- skip advisories that are for unrelated packages when loading databases (#336)
- ensure absolute paths can be provided on Windows (#354)
- exit with non-zero code if the api is not happy (#352)
Full Changelog: v0.16.0...v0.16.1
v0.16.0
This version is mainly focused on the API database, improving its performance by having queries done in parallel, changing when we include the commit data (meaning advisories in ecosystems like Packagist should be properly showing again), and adding an environment variable to have the detector prefer the API by default.
Part of this has come from the local zip databases growing to such a point that it is now probably better to be using the API database where possible, hence the new environment variable.
This also adds support for pylock.toml files, and modernizes some of the code thanks for the modernize linter
What's Changed
- support having the detector use the api by default based on an environment variable (#346)
- modernize code (#350)
- only use the commit in api queries if the package does not have other info (#349)
- support parsing
pylock.tomlfiles (#303) - do api queries in parallel using
errgroup(#347)
Full Changelog: v0.15.1...v0.16.0
v0.15.1
What's Changed
- only use Reference as the commit if it does not have a dot for Packagist packages (#342)
Full Changelog: v0.15.0...v0.15.1
v0.15.0
This version marks the start of migrating to osv-scalibr with the semantic package now being sourced from there - from a CLI point-of-view this should not change anything, but anyone using it as a library will now find that it's API has been changed to return errors instead of panicking.
I expect to replace the lockfile package with the osv-scalibr equivalent in the next release.
What's Changed
- update to Go v1.24 (#315)
- replace
semanticwithosv-scalibrversion (#316) - exclude root packages when parsing
yarn.lockfiles (#320)
Full Changelog: v0.14.0...v0.15.0
v0.14.0
This version adds support for bun.lock and uv.lock files, comparing Ubuntu, Alpine, and Red Hat versions (though we don't support parsing their respective "lockfiles"), and upgrades us to Go v1.23.
This is also probably going to be the last version with the current lockfile and semantic packages, as I've been working with Google on reshaping these libraries which has resulted in osv-scalibr, and which has a much better API especially for lockfile (which over there is extractor).
I will likely start by replacing semantic as that has moved to osv-scalibr in a way that's nearly 1:1, with the main difference being it now returns errors instead of panicking and a much smaller public API for now.
If you are using the osv-detector public libraries, I encourage you to look at the osv-scalibr equivalents to get a sense of what to expect in terms of migrating, and please feel free to open issues either here or on the osv-scalibr repository if you have questions or feel something is missing from their packages that you'd like to make sure is brought across
What's Changed
- support parsing
bun.lockfiles (#285) - support parsing
uv.lockfiles (#287) - upgrade to Go v1.23 (#292)
- support comparing Ubuntu versions (#300)
- support comparing Alpine versions (#299)
- support comparing RedHat versions (#298)
Full Changelog: v0.13.1...v0.14.0
v0.13.1
In addition to a couple of bug fixes, this version also includes a few refactors mainly to semantic removing checks that were not actually needed - in theory it should mean things are slightly faster and smaller, but it'll probably be too small to notice in practice; the more exciting win is the "increase" in test coverage 🥳
What's Changed
- don't panic on
pnpmlockfiles with an invalid path (#280) - process managed dependencies before standard dependencies when parsing
pom.xmls (#279) - switch to slightly more efficient ways of building strings in a couple of places (#273)
- simplify comparing of RubyGem version components (#275)
- simplify comparing of "pre" letters in PyPI versions (#278)
- remove unneeded condition in PyPI version comparator (#274)
- remove unneeded logic in parsing semver-like versions (#277)
Full Changelog: v0.13.0...v0.13.1
v0.13.0
This version has a number of stuff because I apparently forgot to do a release for a while! In addition to a few fixes around NPM and Yarn, this adds support for two completely new lockfile formats (renv.lock and pdm.lock) and v9 of PNPM lockfiles.
It also introduces a new --update-config-ignores flag to make it easier to (re)generate config ignores, which is pretty handy!
What's Changed
- support versions with build metadata in
yarn.lockfiles (#227) - handle aliased packages in lockfiles for npm and yarn (#233)
- support parsing
renv.lockfiles (#243) - support parsing
pdm.lockfiles (#245) - update to Go 1.21 (#246)
- support PNPM v9 lockfiles (#251)
- update YAML library to v3 (#252)
- support updating config ignores with
--update-config-ignores(#248)
Full Changelog: v0.12.0...v0.13.0
v0.12.0
This version changes how the detector checks advisories to greatly reduce the amount of work it does meaning performance scales a lot better as the size of databases grow - this does mean the detector no longer loads advisories that have no affected packages, but that shouldn't be a problem since the detector can't do anything with those advisories anyway; we also cache regexp compiles which in particular make version parsing faster though this will probably only be noticeable if you're using the detector as a library to check a huge number of versions.
Speaking of library users, the detector is now using Go v1.20, so you'll need to update if you're not already on that version of Go. We've also got a few fixes for PNPM lockfiles.
What's Changed
- use go v1.20 (#204)
- use a map to track which advisories should be checked for which packages (#216)
- cache regexp compiles (#213)
- support peer dependencies in v6 versions of PNPM lockfiles (#209)
- properly parse pre-release versions in PNPM lockfiles (#211)
Full Changelog: v0.11.2...v0.12.0