Sourced from golang.org/x/vuln's\r\nreleases.
\r\n\r\n\r\nv1.1.0
\r\nThis release brings minor improvements to govulncheck inner workings\r\nand a few bug fixes (#66139, #65590).
\r\nIntegration
\r\nGovulncheck JSON now also contains scan mode as part of the
\r\nConfig
\r\nmessage.Further, the
\r\nPosition
\r\nin trace frames now contains only paths relative to their enclosing\r\nmodule. This could potentially break some existing clients, hence the\r\nbump of the minor version.Note that this change is made to allow for easier preservation of\r\nprivacy by the clients as now the file positions do not contain\r\ninformation about the local machine. This is also a portable solution.\r\nClients can reconstruct full paths for their local machine by joining\r\nthe
\r\nPosition
relative paths with paths of the enclosing\r\nmodules on the local machine.v1.0.4
\r\nThis release brings an improved overhaul of the govulncheck textual\r\noutput. Findings at each detected level of precision (
\r\nsymbol,\r\npackage, or module
) are communicated in their own section.By default, only the section with the user-specified precision mode\r\nis shown followed by a summary of other sections. A detailed description\r\nwith all of the sections can be obtained using a newly introduced\r\n
\r\n-show verbose
option.This release also brings improvements and fixes for error messages\r\nand binaries (#59731).
\r\nIntegration
\r\ngovulncheck (streaming) JSON now includes the code position of the\r\nvulnerable symbol. Where applicable, the
\r\n.Position
of the\r\nlast entry of a finding's trace is the code location defining the\r\n.Function
.v1.0.3
\r\nThe major feature brought by this release is govulncheck
\r\n-mode\r\nextract
option. It enables users to extract a blob abstraction of\r\na binary whose size is typically much smaller than the binary itself.\r\nThe blob can be passed to govulncheck for analysis with the-mode\r\nbinary
option. The users should not rely on the contents or the\r\nrepresentation of the blob.This release also brings several bug fixes (#65124, #65155,\r\nand #65130).
\r\nv1.0.2
\r\nThis release brings minor improvements to the govulncheck textual\r\noutput and fixes for error messages (#59623, #64681),\r\nfixed version suggestion (#62276),\r\ndocumentation (e.g., #60166),\r\nand issues in dependencies (e.g., #64112).
\r\nSupport for analyzing stripped darwin binaries in govulncheck is\r\nadded as well (#61051).
\r\nIntegration
\r\ngovulncheck (streaming) JSON now emits an OSV message for each\r\nvulnerability associated with user modules and its transitive\r\ndependencies, regardless of the module version.
\r\nAs usual, govulncheck emits a module-level Finding if a vulnerability\r\nfor a module applies to the current module version.
\r\n
a7188c6
\r\ninternal/openvex: add vex types4b737a9
\r\ninternal/sarif: compute relative paths for findings7bf0c05
\r\ninternal/sarif: remove unused field7b0e650
\r\ngo.mod: update golang.org/x dependenciesf1b1098
\r\ninternal/sarif,internal/scan,internal/traces: clean up tests33791bc
\r\ninternal/sarif: add region part of the physical locationd00c170
\r\ninternal/sarif: add code flows9fbf042
\r\ncmd/govulncheck: clean up testefaa3ce
\r\ncmd/govulncheck: make test case config data7838670
\r\ncmd/govulncheck: add comment capability to fixupsSourced from codecov/codecov-action's\r\nreleases.
\r\n\r\n\r\nv4.0.0
\r\nv4 of the Codecov Action uses the CLI as the\r\nunderlying upload. The CLI has helped to power new features including\r\nlocal upload, the global upload token, and new upcoming features.
\r\nBreaking Changes
\r\n\r\n
\r\n- The Codecov Action runs as a
\r\nnode20
action due to\r\nnode16
deprecation. See this\r\npost from GitHub on how to migrate.- Tokenless uploading is unsupported. However, PRs made from forks to\r\nthe upstream public repos will support tokenless (e.g. contributors to\r\nOS projects do not need the upstream repo's Codecov token). This doc\r\nshows instructions on how to add the Codecov token.
\r\n- OS platforms have been added, though some may not be automatically\r\ndetected. To see a list of platforms, see our CLI download page
\r\n- Various arguments to the Action have been changed. Please be aware\r\nthat the arguments match with the CLI's needs
\r\n\r\n
v3
versions and below will not have access to CLI\r\nfeatures (e.g. global upload token, ATS).What's Changed
\r\n\r\n
\r\n\r\n- build(deps): bump openpgp from 5.8.0 to 5.9.0 by
\r\n@dependabot
in codecov/codecov-action#985- build(deps): bump actions/checkout from 3.0.0 to 3.5.3 by
\r\n@dependabot
in codecov/codecov-action#1000- build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by
\r\n@dependabot
in codecov/codecov-action#1006- build(deps): bump tough-cookie from 4.0.0 to 4.1.3 by
\r\n@dependabot
in codecov/codecov-action#1013- build(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 by
\r\n@dependabot
in codecov/codecov-action#1024- build(deps): bump node-fetch from 3.3.1 to 3.3.2 by
\r\n@dependabot
in codecov/codecov-action#1031- build(deps-dev): bump
\r\n@types/node
from 20.1.4 to\r\n20.4.5 by@dependabot
in codecov/codecov-action#1032- build(deps): bump github/codeql-action from 1.0.26 to 2.21.2 by
\r\n@dependabot
in codecov/codecov-action#1033- build commit,report and upload args based on codecovcli by
\r\n@dana-yaish
in codecov/codecov-action#943- build(deps-dev): bump
\r\n@types/node
from 20.4.5 to\r\n20.5.3 by@dependabot
in codecov/codecov-action#1055- build(deps): bump github/codeql-action from 2.21.2 to 2.21.4 by
\r\n@dependabot
in codecov/codecov-action#1051- build(deps-dev): bump
\r\n@types/node
from 20.5.3 to\r\n20.5.4 by@dependabot
in codecov/codecov-action#1058- chore(deps): update outdated deps by
\r\n@thomasrockhu-codecov
\r\nin codecov/codecov-action#1059- build(deps-dev): bump
\r\n@types/node
from 20.5.4 to\r\n20.5.6 by@dependabot
in codecov/codecov-action#1060- build(deps-dev): bump
\r\n@typescript-eslint/parser
from\r\n6.4.1 to 6.5.0 by@dependabot
in codecov/codecov-action#1065- build(deps-dev): bump
\r\n@typescript-eslint/eslint-plugin
\r\nfrom 6.4.1 to 6.5.0 by@dependabot
in codecov/codecov-action#1064- build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by
\r\n@dependabot
in codecov/codecov-action#1063- build(deps-dev): bump eslint from 8.47.0 to 8.48.0 by
\r\n@dependabot
in codecov/codecov-action#1061- build(deps-dev): bump
\r\n@types/node
from 20.5.6 to\r\n20.5.7 by@dependabot
in codecov/codecov-action#1062- build(deps): bump openpgp from 5.9.0 to 5.10.1 by
\r\n@dependabot
in codecov/codecov-action#1066- build(deps-dev): bump
\r\n@types/node
from 20.5.7 to\r\n20.5.9 by@dependabot
in codecov/codecov-action#1070- build(deps): bump github/codeql-action from 2.21.4 to 2.21.5 by
\r\n@dependabot
in codecov/codecov-action#1069- build(deps-dev): bump
\r\n@typescript-eslint/eslint-plugin
\r\nfrom 6.5.0 to 6.6.0 by@dependabot
in codecov/codecov-action#1072- Update README.md by
\r\n@thomasrockhu-codecov
\r\nin codecov/codecov-action#1073- build(deps-dev): bump
\r\n@typescript-eslint/parser
from\r\n6.5.0 to 6.6.0 by@dependabot
in codecov/codecov-action#1071- build(deps-dev): bump
\r\n@vercel/ncc
from 0.36.1 to\r\n0.38.0 by@dependabot
in codecov/codecov-action#1074- build(deps): bump
\r\n@actions/core
from 1.10.0 to 1.10.1\r\nby@dependabot
\r\nin codecov/codecov-action#1081- build(deps-dev): bump
\r\n@typescript-eslint/eslint-plugin
\r\nfrom 6.6.0 to 6.7.0 by@dependabot
in codecov/codecov-action#1080- build(deps): bump actions/checkout from 3.6.0 to 4.0.0 by
\r\n@dependabot
in codecov/codecov-action#1078- build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by
\r\n@dependabot
in codecov/codecov-action#1077- build(deps-dev): bump
\r\n@types/node
from 20.5.9 to\r\n20.6.0 by@dependabot
in codecov/codecov-action#1075- build(deps-dev): bump
\r\n@typescript-eslint/parser
from\r\n6.6.0 to 6.7.0 by@dependabot
in codecov/codecov-action#1079- build(deps-dev): bump eslint from 8.48.0 to 8.49.0 by
\r\n@dependabot
in codecov/codecov-action#1076- use cli instead of node uploader by
\r\n@dana-yaish
in codecov/codecov-action#1068- chore(release): 4.0.0-beta.1 by
\r\n@thomasrockhu-codecov
\r\nin codecov/codecov-action#1084- not adding -n if empty to do-upload command by
\r\n@dana-yaish
in codecov/codecov-action#1085- 4.0.0-beta.2 by
\r\n@thomasrockhu-codecov
\r\nin codecov/codecov-action#1086
... (truncated)
\r\nSourced from codecov/codecov-action's\r\nchangelog.
\r\n\r\n\r\n4.0.0-beta.2
\r\nFixes
\r\n\r\n
\r\n- #1085\r\nnot adding -n if empty to do-upload command
\r\n4.0.0-beta.1
\r\n\r\n
v4
represents a move from the universal uploader to the\r\nCodecov CLI.\r\nAlthough this will unlock new features for our users, the CLI is not yet\r\nat feature parity with the universal uploader.Breaking Changes
\r\n\r\n
\r\n- No current support for
\r\naarch64
andalpine
\r\narchitectures.- Tokenless uploading is unsuported
\r\n- Various arguments to the Action have been removed
\r\n3.1.4
\r\nFixes
\r\n\r\n
\r\n- #967\r\nFix typo in README.md
\r\n- #971\r\nfix: add back in working dir
\r\n- #969\r\nfix: CLI option names for uploader
\r\nDependencies
\r\n\r\n
\r\n- #970\r\nbuild(deps-dev): bump
\r\n@types/node
from 18.15.12 to\r\n18.16.3- #979\r\nbuild(deps-dev): bump
\r\n@types/node
from 20.1.0 to\r\n20.1.2- #981\r\nbuild(deps-dev): bump
\r\n@types/node
from 20.1.2 to\r\n20.1.43.1.3
\r\nFixes
\r\n\r\n
\r\n- #960\r\nfix: allow for aarch64 build
\r\nDependencies
\r\n\r\n
\r\n- #957\r\nbuild(deps-dev): bump jest-junit from 15.0.0 to 16.0.0
\r\n- #958\r\nbuild(deps): bump openpgp from 5.7.0 to 5.8.0
\r\n- #959\r\nbuild(deps-dev): bump
\r\n@types/node
from 18.15.10 to\r\n18.15.123.1.2
\r\nFixes
\r\n\r\n
\r\n- #718\r\nUpdate README.md
\r\n- #851\r\nRemove unsupported path_to_write_report argument
\r\n- #898\r\ncodeql-analysis.yml
\r\n- #901\r\nUpdate README to contain correct information - inputs and negate\r\nfeature
\r\n- #955\r\nfix: add in all the extra arguments for uploader
\r\nDependencies
\r\n\r\n
\r\n\r\n- #819\r\nbuild(deps): bump openpgp from 5.4.0 to 5.5.0
\r\n- #835\r\nbuild(deps): bump node-fetch from 3.2.4 to 3.2.10
\r\n- #840\r\nbuild(deps): bump ossf/scorecard-action from 1.1.1 to 2.0.4
\r\n- #841\r\nbuild(deps): bump
\r\n@actions/core
from 1.9.1 to 1.10.0- #843\r\nbuild(deps): bump
\r\n@actions/github
from 5.0.3 to 5.1.1- #869\r\nbuild(deps): bump node-fetch from 3.2.10 to 3.3.0
\r\n- #872\r\nbuild(deps-dev): bump jest-junit from 13.2.0 to 15.0.0
\r\n- #879\r\nbuild(deps): bump decode-uri-component from 0.2.0 to 0.2.2
\r\n
... (truncated)
\r\ne0b68c6
\r\nfix: show both token uses in readme (#1250)1f9f557
\r\nAdd all args (#1245)09686fc
\r\nUpdate README.md (#1243)f30e495
\r\nfix: update action.yml (#1240)a7b945c
\r\nfix: allow for other archs (#1239)98ab2c5
\r\nUpdate package.json (#1238)43235cc
\r\nUpdate README.md (#1237)0cf8684
\r\nchore(ci): bump to node20 (#1236)8e1e730
\r\nbuild(deps-dev): bump @typescript-eslint/eslint-plugin
\r\nfrom 6.19.1 to 6.20.0 ...61293af
\r\nbuild(deps-dev): bump @typescript-eslint/parser
from\r\n6.19.1 to 6.20.0 (#1235)