Skip to content

CHANGELOG.rst

Latest commit

 

History

History
268 lines (214 loc) · 10.5 KB

CHANGELOG.rst

File metadata and controls

268 lines (214 loc) · 10.5 KB

Release 0.14.0 (unreleased)

  • Use .cdx.json as the default extension for CycloneDX SBOM reports (#1118)
  • Embed base64-encoded license text in SBOM licenses[].text when a license is successfully identified (#1112)
  • Set SBOM licenses to the SPDX expression NOASSERTION when a license file is not found or cannot be classified (#1112)
  • Add a dfetch:license:finding property to SBOM when NOASSERTION is set, explaining the reason (#1112)
  • Add dfetch:license:threshold and dfetch:license:tool SBOM properties (#1116)
  • Add dfetch:license:<spdx-id>:confidence SBOM property for per-licence confidence scores (#1116)
  • Use github purl, repo and version for a github release archive in SBOM (#1063)
  • Allow dfetch freeze to accept project names to freeze only specific projects (#1063)
  • Edit manifest in-place when freezing inside a git or SVN superproject, preserving comments and layout (#1063)
  • Add new remove command to remove projects from manifest and disk (#26)
  • Fix "unsafe symlink target" error for archives containing relative .. symlinks (#1122)
  • Fix dfetch add crashing with a ValueError when the remote URL has a trailing slash (#1137)
  • Fix unhelpful error message when a metadata file is malformed (#1145)
  • Fix arbitrary file write via malicious tar/zip symlink (#1152)
  • Prevent SSH command injection (#1152)

Release 0.13.0 (released 2026-03-30)

  • Add archive (vcs: archive) support for fetching dependencies from .tar.gz, .tgz, .tar.bz2, .tar.xz and .zip files via HTTP, HTTPS or file URLs (#1058)
  • Fix path-traversal check using character-based prefix comparison instead of path-component comparison (#1058)
  • Fix directory hash being non-deterministic across filesystem traversal orders, causing false local-change detection (#1058)
  • Fix dfetch freeze not capturing branch information for SVN projects when only the revision matched (#1058)
  • Rename child-manifests to sub-manifests in documentation and code (#1027)
  • Fix missing closing quote in unfetched-project diagnostic command example (#1070)
  • Fetch git submodules in git subproject at pinned revision (#1013)
  • Add nested projects in subprojects to project report (#1017)
  • Make dfetch report output more yaml-like (#1017)
  • Don't break when importing submodules with space in path (#1017)
  • Warn when src: glob pattern matches multiple directories (#1017)
  • Introduce new add command with optional interactive mode (-i) (#25)

Release 0.12.1 (released 2026-02-24)

  • Fix missing unicode data in standalone binaries (#1014)

Release 0.12.0 (released 2026-02-21)

  • Internal refactoring: introduce superproject & subproject (#896)
  • Switch from pykwalify to StrictYAML (#922)
  • Show line number when manifest validation fails (#36)
  • Add Fuzzing (#819)
  • Don't allow NULL or control characters in manifest (#114)
  • Allow multiple patches in manifest (#897)
  • Fallback and warn if patch is not UTF-8 encoded (#941)
  • Skip patches outside manifest dir (#942)
  • Make patch path in metadata platform independent (#937)
  • Fix extra newlines in patch for new files (#945)
  • Replace colored-logs and Halo with Rich (#960)
  • Respect NO_COLOR (#960)
  • Group logging under a project name header (#953)
  • Introduce new update-patch command (#614)
  • Introduce new format-patch command (#943)
  • Drop python 3.9 support (#988)

Release 0.11.0 (released 2026-01-03)

  • Support python 3.14
  • Drop python 3.7, 3.8 support (#801)
  • Don't show animation when running in CI (#702)
  • Improve logic for creating Purls in SBoM (#780)
  • Add External VCS reference to SBoM if possible (#780)
  • Use CycloneDX schema version 1.6 (#542)
  • Add security policy (#784)
  • Add provenance / release attestation to pypi package (#784)
  • Support multiple licenses per project (#788)
  • Add evidence to sbom report (#788)
  • Let action work outside of dfetch repo (#816)
  • Handle SVN tags with special characters (#811)
  • Don't return non-zero exit code if tool not found during environment (#701)
  • Create standalone binaries for Linux, Mac & Windows (#705)
  • Don't make metadata file part of diff (#267)
  • Fix unneeded project prefix in SVN diffs (#888)
  • Add more tests and documentation for patching (#888)
  • Restrict src to string only in schema (#888)
  • Don't consider ignored files for determining local changes (#350)
  • Avoid waiting for user input in git & svn commands (#570)
  • Extend git ssh command to run in BatchMode (#570)
  • Use native line breaks in dfetch freeze & dfetch import (#327)

Release 0.10.0 (released 2025-03-12)

  • Support python 3.13
  • Fix too strict overlapping path check (#684)
  • Show complete URL of child manifests (#683)
  • Show remote name when using default remote (#445)
  • Select HEAD branch as default in git (#689)

Release 0.9.1 (released 2024-12-31)

  • Fix pypi publishing

Release 0.9.0 (released 2024-12-30)

  • Warn user if the remote does not exist (#185, #171)
  • Report unavailable project version during check (#381)
  • Don't look for update on random branch if only revision is provided in git (#393)
  • Don't report update available if revision on disk matches revision in manifest for git (#393)
  • Report the revision available in git if only revision is in git (#393)
  • Add ignore list to project entries in the manifest (#571)

Release 0.8.0 (released 2023-12-23)

  • Don't break if no suggestion found (#358)
  • Drop python 3.6 support (#386)
  • Fix checking project from svn branch (#383)
  • Move all configuration into single pyproject.toml (#401)
  • Also build for python 3.11, 3.12 in CI
  • Add 3.11, 3.12 classifier to pyproject
  • When importing non-std SVN external, identify src path

Release 0.7.0 (released 2022-06-22)

  • Warn about local changes during check (#286)
  • Add support for Gitlab-CI/Code Climate check reports (#18)
  • Improve Sarif/github messages (#292)
  • Update to CycloneDX spec 1.4 (#296)
  • Never overwrite main project folder and manifest (#302)
  • Add codespell and fix typo's (#303)
  • Add warning to metadata file, not to change it (#170)
  • Fix SBoM report (#337)
  • Suggest a correct project name if not found (#320)
  • Handle relative urls during dfetch import (#339)

Release 0.6.0 (released 2022-01-31)

  • Pin dependencies
  • Recommend child-projects instead of fetching (#242)
  • Show spinner when fetching (#264)
  • Don't allow path traversal for dst path
  • Check for casing issues in dst: path during update (#256)
  • Check for overlapping destinations of projects (#173)
  • Handle invalid metadata file (#280)
  • Update to CycloneDX spec 1.3 (#282)
  • Make it possible to generate jenkins and sarif json report for check (#18)

Release 0.5.1 (released 2021-12-09)

  • Pin dependencies

Release 0.5.0 (released 2021-12-09)

  • Add diff command for svn projects (#24)
  • Also add binary files as part of generated patch (#251)
  • Create diff on working copy instead of current revision (#254)
  • Deprecate dfetch list command for dfetch report command
  • Add Software Bill-of-Materials (sBoM) export to dfetch report command (#154)
  • Guess license for sbom export (#50)
  • Match more licenses (#260)

Release 0.4.0 (released 2021-11-26)

  • Add patch info to list command (#198)
  • Don't break when there is a space in SVN dest path (#223)
  • Fix unittest (#229)
  • Allow using glob pattern for src key in manifest (#228)
  • Add diff command (#24)
  • Make dfetch work for python 3.6 (#32)

Release 0.3.0 (released 2021-07-19)

  • Add list command (#20)
  • Add warning when patch file isn't found (#191)
  • Add project argument to check, update & list (#188)

Release 0.2.0 (released 2021-06-18)

  • Add freeze command (#95)
  • Add patch option (#22)
  • Fix second update fails with non-standard SVN repo's (#167)
  • Don't retain licenses in subfolders (#178)
  • Import unpinned and non-std svn externals (#133)

Release 0.1.1 (released 2021-05-27)

  • Fix empty folder remains after using src: with subfolder in git (#163)
  • New logo

Release 0.1.0 (released 2021-05-13)

  • Support for non-standard SVN repositories (#135)
  • Fix dst usage for single source file with git (#120)

Release 0.0.9 (released 2021-03-16)

  • Add copyright notices to documentation
  • Make it possible to check/update child-projects (#99)
  • Keep license files from repo, even when only checking only subdir (#50)
  • Guard against overwriting local changes (#93)
  • Add --force flag to dfetch update

Release 0.0.8 (released 2021-02-14)

  • Fix wrong version check (#101)
  • Don't mandate remote section in manifest (#102)

Release 0.0.7 (released 2021-02-13)

  • Add tag: attribute to manifest (#92)
  • Remove branches/tags prefix for svn in manifest (#88)
  • Branch name missing when not in manifest (#82)
  • Interpret tags when checking for updates (#46)
  • Add feature tests (#84)

Release 0.0.6 (released 2021-02-03)

  • Make import command available for svn projects with externals.
  • Improve documentation.
  • Fix #73: Don't fail if svn or git is not installed.
  • Fix #74: Don't default to SVN for non-ssh url.
  • Add vcs: field to manifest.
  • Make src: partial checkouts available for git.
  • Drop support for shortened git sha (#80).

Release 0.0.5 (released 2021-01-05)

  • Fix dfetch import command.
  • Improve template.
  • If no dst is given for a project, use name of project instead.
  • Fixes #28: Rename manifest.yaml to dfetch.yaml

Release 0.0.4 (released 2020-11-12)

  • Increase readability in terminals.
  • Fix template generated by dfetch init.

Release 0.0.3 (released 2020-11-09)

  • Added release procedure.
  • Added import command.

Release 0.0.2 (released 2020-11-03)

  • Added dfetch environment command.
  • Added changelog.

Release 0.0.1 (released 2020-11-03)

  • Initial release