Releases · G-Rath/osv-detector

This version adds support for bun.lock and uv.lock files, comparing Ubuntu, Alpine, and Red Hat versions (though we don't support parsing their respective "lockfiles"), and upgrades us to Go v1.23.

This is also probably going to be the last version with the current lockfile and semantic packages, as I've been working with Google on reshaping these libraries which has resulted in osv-scalibr, and which has a much better API especially for lockfile (which over there is extractor).

I will likely start by replacing semantic as that has moved to osv-scalibr in a way that's nearly 1:1, with the main difference being it now returns errors instead of panicking and a much smaller public API for now.

If you are using the osv-detector public libraries, I encourage you to look at the osv-scalibr equivalents to get a sense of what to expect in terms of migrating, and please feel free to open issues either here or on the osv-scalibr repository if you have questions or feel something is missing from their packages that you'd like to make sure is brought across

What's Changed

support parsing bun.lock files (#285)
support parsing uv.lock files (#287)
upgrade to Go v1.23 (#292)
support comparing Ubuntu versions (#300)
support comparing Alpine versions (#299)
support comparing RedHat versions (#298)

Full Changelog: v0.13.1...v0.14.0

In addition to a couple of bug fixes, this version also includes a few refactors mainly to semantic removing checks that were not actually needed - in theory it should mean things are slightly faster and smaller, but it'll probably be too small to notice in practice; the more exciting win is the "increase" in test coverage 🥳

What's Changed

don't panic on pnpm lockfiles with an invalid path (#280)
process managed dependencies before standard dependencies when parsing pom.xmls (#279)
switch to slightly more efficient ways of building strings in a couple of places (#273)
simplify comparing of RubyGem version components (#275)
simplify comparing of "pre" letters in PyPI versions (#278)
remove unneeded condition in PyPI version comparator (#274)
remove unneeded logic in parsing semver-like versions (#277)

Full Changelog: v0.13.0...v0.13.1

This version has a number of stuff because I apparently forgot to do a release for a while! In addition to a few fixes around NPM and Yarn, this adds support for two completely new lockfile formats (renv.lock and pdm.lock) and v9 of PNPM lockfiles.

It also introduces a new --update-config-ignores flag to make it easier to (re)generate config ignores, which is pretty handy!

What's Changed

support versions with build metadata in yarn.lock files (#227)
handle aliased packages in lockfiles for npm and yarn (#233)
support parsing renv.lock files (#243)
support parsing pdm.lock files (#245)
update to Go 1.21 (#246)
support PNPM v9 lockfiles (#251)
update YAML library to v3 (#252)
support updating config ignores with --update-config-ignores (#248)

Full Changelog: v0.12.0...v0.13.0

This version changes how the detector checks advisories to greatly reduce the amount of work it does meaning performance scales a lot better as the size of databases grow - this does mean the detector no longer loads advisories that have no affected packages, but that shouldn't be a problem since the detector can't do anything with those advisories anyway; we also cache regexp compiles which in particular make version parsing faster though this will probably only be noticeable if you're using the detector as a library to check a huge number of versions.

Speaking of library users, the detector is now using Go v1.20, so you'll need to update if you're not already on that version of Go. We've also got a few fixes for PNPM lockfiles.

What's Changed

use go v1.20 (#204)
use a map to track which advisories should be checked for which packages (#216)
cache regexp compiles (#213)
support peer dependencies in v6 versions of PNPM lockfiles (#209)
properly parse pre-release versions in PNPM lockfiles (#211) 8000

Full Changelog: v0.11.2...v0.12.0

What's Changed

set CompareAs for pubspec packages (#199)
check for unexpected responses from remote database hosts (#197)
ensure full-line error messages has a newline at the end (#200)
ensure that affected entries are in order before comparing (#198)

Full Changelog: v0.11.1...v0.11.2

What's Changed

don't panic on empty pnpm-lock.yaml files (#191)
improve warning message when parsing invalid Maven poms (#192)
handle cyclical -rs in requirements.txt files (#193)
handle line continuations in requirements.txt files (#195)
handle requirements with options in requirements.txt (#196)

Full Changelog: v0.11.0...v0.11.1

What's Changed

support PNPM v6 lockfiles (#187)
support dependencyManagement in Maven poms (#175)
support providing parse-as per lockfile / directory (#189)
support -r flag in requirements.txt files (#174)

Full Changelog: v0.10.4...v0.11.0

What's Changed

support Pipenv develop packages without a version (#186)
avoid infinite loops parsing Maven poms with syntax errors (#188)

Full Changelog: v0.10.3...v0.10.4

What's Changed

trim leading zeros off when comparing numerical components in Maven versions (#179)

Full Changelog: v0.10.2...v0.10.3

What's Changed

update to the latest patch version of go v1.17 (#178)

Full Changelog: v0.10.1...v0.10.2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

What's Changed

Uh oh!

Releases: G-Rath/osv-detector

v0.14.0

What's Changed

Uh oh!

v0.13.1

What's Changed

Uh oh!

v0.13.0

What's Changed

Uh oh!

v0.12.0

What's Changed

Uh oh!

v0.11.2

What's Changed

Uh oh!

v0.11.1

What's Changed

Uh oh!

v0.11.0

What's Changed

Uh oh!

v0.10.4

What's Changed

Uh oh!

v0.10.3

What's Changed

Uh oh!

v0.10.2

What's Changed

Uh oh!