v0.12.0

This version changes how the detector checks advisories to greatly reduce the amount of work it does meaning performance scales a lot better as the size of databases grow - this does mean the detector no longer loads advisories that have no affected packages, but that shouldn't be a problem since the detector can't do anything with those advisories anyway; we also cache regexp compiles which in particular make version parsing faster though this will probably only be noticeable if you're using the detector as a library to check a huge number of versions.

Speaking of library users, the detector is now using Go v1.20, so you'll need to update if you're not already on that version of Go. We've also got a few fixes for PNPM lockfiles.

What's Changed

• use go v1.20 (#204)
• use a map to track which advisories should be checked for which packages (#216)
• cache regexp compiles (#213)
• support peer dependencies in v6 versions of PNPM lockfiles (#209)
• properly parse pre-release versions in PNPM lockfiles (#211)

Full Changelog: v0.11.2...v0.12.0

v0.11.2

What's Changed

• set CompareAs for pubspec packages (#199)
• check for unexpected responses from remote database hosts (#197)
• ensure full-line error messages has a newline at the end (#200)
• ensure that affected entries are in order before comparing (#198)

Full Changelog: v0.11.1...v0.11.2

v0.11.1

What's Changed

• don't panic on empty pnpm-lock.yaml files (#191)
• improve warning message when parsing invalid Maven poms (#192)
• handle cyclical -rs in requirements.txt files (#193)
• handle line continuations in requirements.txt files (#195)
• handle requirements with options in requirements.txt (#196)

Full Changelog: v0.11.0...v0.11.1

v0.11.0

What's Changed

• support PNPM v6 lockfiles (#187)
• support dependencyManagement in Maven poms (#175)
• support providing parse-as per lockfile / directory (#189)
• support -r flag in requirements.txt files (#174)

Full Changelog: v0.10.4...v0.11.0

v0.10.4

What's Changed

• support Pipenv develop packages without a version (#186)
• avoid infinite loops parsing Maven poms with syntax errors (#188)

Full Changelog: v0.10.3...v0.10.4

v0.10.3

What's Changed

• trim leading zeros off when comparing numerical components in Maven versions (#179)

Full Changelog: v0.10.2...v0.10.3

v0.10.2

What's Changed

• update to the latest patch version of go v1.17 (#178)

Full Changelog: v0.10.1...v0.10.2

v0.10.1

What's Changed

• support yarn.lock files with quoted properties (#170)
• avoid panic when parsing file: dependencies in pnpm lockfiles (#171)
• deduplicate packages that appear multiple times in Pipenv.lock files (#172)
• properly handle comparing zero versions in Maven (#173)

Full Changelog: v0.10.0...v0.10.1

v0.10.0

What's Changed

• support parsing Gradle lockfiles (#164)
• support parsing NuGet packages.lock.json lockfiles (#165)
• support parsing PyPi Pipfile.lock lockfiles (#166)

Full Changelog: v0.9.1...v0.10.0

v0.9.1

What's Changed

• ensure that file paths are handled properly on Windows by (#161)
• handle replace directives in go.mod files (#162)

Full Changelog: v0.9.0...v0.9.1