Skip to content

Releases: containerbuildsystem/cachi2

0.16.0

17 Dec 15:17
Compare
Choose a tag to compare

Improvements

  • official support for yarn classic package manager
  • replacement of tox and Makefile automation tools with nox

Full Changelog: 0.15.0...0.16.0

0.15.0

26 Nov 16:37
Compare
Choose a tag to compare

Improvements:

  • Added a security policy (SECURITY.md)
  • [bundler] docs update

Bug fixes:

[bundler] Try harder at convincing bundler to respect an offline installation (#733)

0.14.0

19 Nov 15:16
Compare
Choose a tag to compare

Breaking changes

  • [pip] Stop allowing project metadata mixing from concurrent config files, e.g. pyproject.toml, setup.cfg, setup.py (5a65f16, #680)
    For projects that were defined this way and made use of cachi2 this will result in different SBOM component PURLs for the same set of inputs.

Improvements

  • [generic] Official support for the generic artifact fetcher
  • [generic] Support for fetching and SBOM reporting of Maven artifacts

Experimental features

  • [yarn v1] Implemented parsing for yarn.lock and package.json

Bug fixes

  • [CLI] typer: Do not log locals in an exception's stacktrace (CVE-2024-52582)
  • [bundler] Fixed missing cachi2:found_by SBOM property in precompiled gem components

0.13.0

29 Oct 18:00
Compare
Choose a tag to compare

Improvements

  • Official backend support for Bundler (Ruby ecosystem)
  • Show help when no CLI arguments were given
  • Contributing: increase the release cadence to weekly

Experimental features

  • [yarn v1] add workspace handler
  • [generic artifact fetcher] introduce fetching files & SBOM reporting

0.12.0

15 Oct 11:27
Compare
Choose a tag to compare

Improvements

  • adopt contributor's guidelines [CONTRIBUTING.md] (non-functional change)

Experimental features

  • [bundler] generate SBOM components
  • [yarn v1] CLI experimental enablement
  • [yarn v1] prefetching from offline mirrors
  • [rpm] enable TLS client authentication to RPM authenticated repositories with certificates passed via input JSON extra options
  • [generic artifact fetcher] CLI experimental enablement
  • [generic artifact fetcher] generic YAML lockfile representation

0.11.0

18 Sep 14:50
Compare
Choose a tag to compare

Improvements

  • Switch the container base image to UBI-9 (https://catalog.redhat.com/software/base-images)
  • Introduce a new merge-sboms CLI command
    • this allows merging multiple SBOMs which we generated ourselves
  • Remove the utils/merge_syft_sbom.py script
  • Replace the pyreflink dependency with a vendored implementation of fast in-kernel copying
  • Bump the max Go supported version 1.22 -> 1.23
    • note we're still lacking support for vendored workspaces (introduced in Go 1.22)
  • Deprecate global --gomod-vendor and --gomod-vendor-check CLI flags
    • users no longer need to explicitly instruct cachi2 to consider the vendoring use case with regards to dependency fetching
    • note that if a repository has vendored content cachi2 will check its integrity, but will no longer perform the vendoring as part of the dependency prefetch as was the case with the --gomod-vendor-check flag
    • note the flags will be dropped in a future release

0.10.0

21 Aug 16:13
Compare
Choose a tag to compare

Improvements

  • Adds preliminary support for Go 1.22
    • Cachi2 is now able to prefetch dependencies for Go 1.22.x based projects
    • Workspace vendoring is still not supported

Bug fixes

  • Fixes error in identifying Go workspaces when the GOWORK environment variable was set to off

0.9.1

24 Jul 14:00
Compare
Choose a tag to compare

Bug fixes

  • Fix a regression where the utility merge_syft_sbom.py script isn't installed in the resulting container image anymore

0.9.0

22 Jul 16:12
Compare
Choose a tag to compare

Improvements

  • Converting the Containerfile/Dockerfile to a multi-stage build in order to easily pull in and vet latest releases of Go, NodeJS, etc.

Bug fixes

  • Fix the regex used when parsing go.mod files to figure out the desired Go version to include pre-releases and allow commentaries on the same line as the go line (e6a8010)
  • Fix aiohttp timing out on large downloads and slower connections by actually respecting the config option for async downloads (34b72cc)

Other

  • Added Python 3.12 as the officially supported platform by the project

0.8.0

26 Jun 13:28
Compare
Choose a tag to compare

Improvements

  • Support Go workspaces (for Go <= 1.21)
  • Support --index-url in requirements.txt files
  • Support ~/.netrc authentication for aiohttp requests (as used by the pip and npm code)

Bug fixes

  • Don't expose credentials in SBOM if git origin url includes credentials
  • Report missing checksums for RPMs properly: report the lockfile path, not the RPM filename