This version changes how the detector checks advisories to greatly reduce the amount of work it does meaning performance scales a lot better as the size of databases grow - this does mean the detector no longer loads advisories that have no affected packages, but that shouldn't be a problem since the detector can't do anything with those advisories anyway; we also cache regexp compiles which in particular make version parsing faster though this will probably only be noticeable if you're using the detector as a library to check a huge number of versions.
Speaking of library users, the detector is now using Go v1.20, so you'll need to update if you're not already on that version of Go. We've also got a few fixes for PNPM lockfiles.
What's Changed
- use go v1.20 (#204)
- use a map to track which advisories should be checked for which packages (#216)
- cache regexp compiles (#213)
- support peer dependencies in v6 versions of PNPM lockfiles (#209)
- properly parse pre-release versions in PNPM lockfiles (#211)
Full Changelog: v0.11.2...v0.12.0