Skip to content

Latest commit

 

History

History
766 lines (477 loc) · 24.3 KB

CHANGELOG.md

File metadata and controls

766 lines (477 loc) · 24.3 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

5.0.1

  • Updated dependencies as needed for security fixes

5.0.0

Breaking change

  • Only supports Ruby 3.0+ due to nokogiri upgrade

Changed

  • Ensure homepage string is not too long in cabal.rb to avoid DOS attack
  • Update dependencies

4.5.0

Changed

  • Bumped a number of dependencies for security fixes

4.4.0

Added

  • Licensed status command will alert on stale cached dependency records (#657)

4.3.1

Changed

  • Bump nokogiri to resolve vulnerabilities (#648)

4.3.0

Added

  • Cocoapods support has been re-enabled using a cocoapods plugin (#644)

4.2.0

Added

  • Reviewed and ignored configuration lists support matching on versions and version ranges (#629)

Fixed

  • Licensed should more reliably source dependencies from Gradle >= 8.0 (#630)

4.1.0

Added

  • Custom license terms can be added to dependencies via new configuration options (#624)
  • Licensed is now integrated with pnpm to enumerate dependencies (#626)

4.0.4

Changed

  • Dependency version requirements are more relaxed (#619)

4.0.3

Changed

  • Cocoapods dependency enumeration has been disabled (#616)

Fixed

  • Fixed method signature change in Bundler API with Bundler >= 2.4.4 (:tada: @CvX #614)
  • Fixed installation dependency compatibility with Rails >= 7.0 (#616)

4.0.2

Fixed

  • The path to a gradlew executable can be configured when enumerating gradle dependencies (:tada: @LouisBoudreau #610)

4.0.1

Fixed

  • Running gradle tests will no longer fail when gradle is not available (#606)

4.0.0

Added

  • Licensed supports Cocoapods as a dependency source (:tada: @LouisBoudreau #584)
  • Licensed supports Gradle multi-project builds (:tada: @LouisBoudreau #583)

Fixed

  • Licensed no longer crashes when run with Bundler >= 2.4.0 (:tada: @JoshReedSchramm #597)

Changed

  • BREAKING: Licensed no longer ships executables with releases (#586)
  • BREAKING: Licensed no longer includes support for Go <= 1.11 (#602)

3.9.1

Fixed

  • Updating cached dependency records will more accurately apply review_changed_license flag (#578)

3.9.0

Added

  • NOTICE files can now be generated without cached files in a repository (#572)

3.8.0

Added

  • Licensing compliance status checks can now be used without cached files in a repository (#560)

3.7.5

Fixed

  • Python dependency metadata will be correctly parsed from the ouput of pip show (#555)

3.7.4

Fixed

  • Licenses for Python dependencies built with Hatchling are correctly found (#547)

3.7.3

Fixed

  • Swift test fixtures build artifacts are now ignored (:tada: @CvX #524)
  • Running cargo test fixture setup no longer deletes test files (:tada: @CvX #525)
  • Bundler test fixtures are compatible with latest macOS silicon(:tada: @CvX #528)
  • Fix segfaults seen using licensed with ruby 3.0.4 (#530)
  • Fix compatibility with latest versions of bundler 2.3 (#535)
  • Fix compatibility with latest versions of bundler 2.3 (:tada: @CvX #522)

3.7.2

Fixed

  • Comparing dependency license contents now finds matching contents regardless of the order of the licenses (#516)
  • Fixed typo in a link in README.md (#514)

Changed

  • Elixir testing setup is migrated to erlef/setup-beam (#512)

3.7.1

Fixed

  • Dependencies' legal notice file matching has been made more strict to reduce false positives on code files containing the word legal (#510)

3.7.0

Changed

  • Pip and pipenv sources will find dependency licenses under dist-info/license_files when available (#504)

3.6.0

2022-03-17

Added

  • Composer dev dependencies can optionally be included in enumerated PHP dependencies (:tada: @digilist #486)
  • Getting started usage documentation (#483)
  • Initial support for NPM workspaces (#485)

Changed

  • Transitive dependencies are now enumerated by the pip source (#480)

Fixed

  • licensed cache --force will now correctly overwrite existing license classifications (#473)

3.5.0

2022-02-24

Added

  • Licensee confidence thresholds can be configured in the licensed configuration file (#455)

3.4.4

2022-02-07

Fixed

  • The npm and pip sources have better protection from strings causing crashes in Hash#dig (#450)

3.4.3

2022-01-31

Added

  • The npm source handles more cases of missing, optional, peer dependencies (#443)

3.4.2

2022-01-17

Fixed

  • The yarn source will no longer evaluate package.json files that do not represent project dependencies (#439)

3.4.1

2022-01-07

Fixed

  • Malformed package.json files will no longer crash yarn dependency detection (#431)

3.4.0

2021-12-14

Added

  • New Yarn enumerator with support for berry versions (#423)

Fixed

  • Error handling cases return correct values in the Yarn enumerator (#425)
  • Fixed link in command documentation (:tada: @chibicco #416)
  • Fixed minor backwards compatibility issue for Ruby 2.3 support (:tada: @dzunk #414)

Changed

  • Licensed's own dependencies are cached in the repository and kept up to date with GitHub Actions (#421)

3.3.1

2021-10-07

Fixed

  • Fix evaluation of peer dependencies with npm 7 (:tada: @manuelpuyol #411)

Changed

  • Manifest source evaluation performance improvements (#407)

3.3.0

2021-09-18

Added

  • New cargo source enumerates rust dependencies (#404)

Changed

  • Removed non-functional files from gem builds (#405)

3.2.3

2021-09-14

Fixed

  • Bundler source will no longer infinitely recurse when enumerating specifications (#402)
  • Using the --sources command line option will no longer delete skipped sources' cached files (#401)

3.2.2

2021-09-09

Fixed

  • Bundler source works properly again when used outside of bundle exec (#397)

3.2.1

2021-09-06

Changed

Fixed

  • Bundler source correctly finds platform specific dependencies (#392)

3.2.0

2021-08-19

Added

  • Application names can be dynamically generated based on the path to the application source (#375)

Changed

  • Updated command documentation (#378, https://github.com/github/licensed/pull/380/files)
  • Updated configuration documentation (#375)
  • Cache and status commands give additional diagnostic output when using JSON and YAML formatters (#378)
  • Status command will give users a link to documentation when compliance checks fail (#381)

Fixed

  • The bundler source correctly checks that the path bundler specifies a gem is loaded from is a file (#379)

3.1.0

2021-06-16

Added

  • Licensed supports Swift/Swift package manager as a dependency source (:tada: @mattt #363)'

Changed

  • The source_path configuration property accepts arrays of inclusion and exclusion glob patterns (#368)
  • The Nuget source now uses configured fallback folders to find dependencies that are not in found in the project folder (#366)
  • The Nuget source supports a configurable property for the path from the project source path to the project's obj folder (#365)

Fixed

  • The Go source's checks for local packages will correctly find paths in case-insensitive file systems (#370)
  • The Bundler source will no longer unnecessarily reset the local Bundler environment configuration (#372)

3.0.1

2021-05-17

Fixed

  • The bundler source will correctly enumerate dependencies pulled with a git: directive (#360)

3.0.0

2021-04-27

This is a major release and includes potentially breaking changes to bundler dependency enumeration.

Changed

  • The bundler source will return an error when run from an executable. Please install licensed as a gem to continue using the bundler source. Please see the v3 migration document for full details and migration strategies.

2.15.2

2021-04-06

Fixed

  • The pip source works with package names containing periods (:tada: @bcskda #350)

2.15.1

2021-03-29

Changed

  • The npm source will ignore dependencies that are marked as both extraneous and missing (#347)

2.15.0

2021-03-24

Added

  • Support for npm 7 (#341)

Fixed

  • Files in the manifest source will be found correctly for apps that are not at the repository root (#345)

2.14.4

2021-02-09

Added

  • list and cache commands optionally print output in JSON or YML formats using the --format/-f flag (#334)
  • list command will include detected license keys using the --licenses/-l flag (#334)

2.14.3

2020-12-11

Fixed

  • Auto-generating license text for a known license will no longer raise an error if the found license has no text (:tada: @Eun #328)

2.14.2

2020-11-20

Fixed

  • Yarn source correctly finds dependency paths on disk (#326)
  • Go source better handles finding dependencies that have been vendored (#323)

2.14.1

2020-10-09

Fixed

  • Shell command output is encoded to UTF8 (#319)

2.14.0

2020-10-04

Added

  • reviewed dependencies can use glob pattern matching (#313)

Fixed

  • Fix configuring source path globs that expand into a single directory (#312)

2.13.0

2020-09-23

Added

  • status command results can be output in YAML and JSON formats (:tada: @julianvilas #303)

Fixed

  • licensed no longer crashes when parsing invalid YAML from cached records (#306)
  • NPM source will no longer crash when invalid JSON is returned from npm CLI calls (#300)
  • Bundler source is fixed to work properly with gems.rb lockfiles (#299)

2.12.2

2020-07-07

Changed

  • Cleaned up ruby 2.7 warnings (:tada: @jurre #292)
  • Cleaned up additional warnings in tests (#293)

2.12.1

2020-06-30

Fixed

  • licensed no longer exits an error code when using the --sources CLI argument (#290)

2.12.0

2020-06-19

Added

  • --sources argument for cache, list, status and notices commands to filter running sources (#287)

Fixed

  • cache command will not remove files outside of enabled source cache paths (#287)

2.11.1

2020-06-09

Fixed

  • notices command properly reads cached dependency notices contents (#283)

2.11.0

2020-06-02

Added

  • notices command to create a NOTICE file for each configured app (#277)

Fixed

  • NuGet source no longer crashes on a non-existent dependency path (#280)
  • Go source no longer crashes on a non-existent dependency package path (#274)

2.10.0

2020-05-15

Changed

  • NPM source ignores missing peer dependencies (#267)

Added

  • NuGet source (:tada: @zarenner #261)
  • Multiple apps can share a single cache location (#263)

2.9.2

2020-04-28

Changed

  • licensee minimum version bumped to 9.13.2 (#256)

2.9.1

2020-03-24

Changed

  • relaxed gem version restrictions on Thor (:tada: @eileencodes #254)

2.9.0

2020-03-19

Added

  • Source paths use glob pattern matching (#245)

Fixed

  • Mix source supports updates to mix.lock format (:tada: @bruce #242)
  • Go source supports go list format changes in go 1.14 (#247)

Changed

  • licensed cache will flag dependencies for re-review when license text changes (#248)
  • licensed status will raise errors on dependencies that need re-review (#248)
  • licensee minimum version bumped to 9.13.1 (#251)

2.8.0

2020-01-03

Added

  • Yarn source (#232, #233, #236)
  • NPM source has a new option to include non-production dependencies (#231)

Fixed

  • Cabal source will no longer crash if packages aren't found (#230)

2.7.0

2019-11-10

Added

  • License text is automatically generated for known licenses when not otherwise available (#223)

Changed

  • Ignoring dependencies uses glob pattern matching (#225)

2.6.2

2019-11-03

Changed

  • A number of improvements to the go dependency enumerator
    • use go env GOPATH as a default if no other GOPATH is found
    • better compatibility with go modules when finding license content
    • better compatibility with vendored go modules
    • use a packages godoc.org page as it's homepage
    • better checks for standard packages, reducing the amount of cached content

2.6.1

2019-10-26

Changed

  • Performance improvements during dependency enumeration (:tada: @krzysztof-pawlik-gat #204, #207) (#210)

2.6.0

2019-10-22

Added

  • Mix source for Elixir (:tada: @bruce #195)

2.5.0

2019-09-26

Added

  • env command to output application environment configuration (#187, #191)

Changed

  • status command will pass if multiple allowed licenses are found (#188)

2.4.0

2019-09-15

Added

  • Composer source for PHP (#182)

2.3.2

2019-08-26

Fixed

  • Bundler with/without array settings are properly handled for bundler 1.15.x

2.3.1

2019-08-20

Changed

  • Using the npm source with yarn, "missing" dependencies are no longer considered errors (:tada: @krzysztof-pawlik-gat #170)
  • The bundler source now calls gem specification with dependency version requirements (#173)

2.3.0

2019-05-19

Added

  • New Pipenv dependency source enumerator (:tada: @krzysztof-pawlik-gat #167)

2.2.0

2019-05-11

Added

  • Content hash versioning strategy for go and manifest sources (#164)

Fixed

  • Python source handles urls and package names with "-" in requirements.txt (:tada: @krzysztof-pawlik-gat #165)

2.1.0

2019-04-16

Added

  • New Gradle dependency source enumerator (:tada: @dbussink #150, @jandersson-svt #159)
  • Metadata added to distributed packages (#160)

Changes

  • Bundler dependency source loads license key from a gem's cached gemspec file as a fallback (#154)
  • Licensed will only raise errors on an empty dependency path when caching records (#149)

Fixed

  • Migrating to v2 will no longer crash trying to migrate cached records that don't exist (#148)
  • Reported warnings will no longer crash licensed when caching records (#147)

2.0.1

2019-02-14

Changes

  • Dependency paths that don't exist on the local disk are reported as warnings
  • Cache, status and list output is sorted by app name, source type and dependency name
  • Bumped licensee gem requirement

2.0.0

2019-02-09

This is a major release and includes breaking changes to the configuration and cached record file formats

Added

  • New migrate command to automatically update configuration and cached record file formats
  • New extensible reporting infrastructure
  • New base command and source classes to abstract away implementation details

Changes

  • Cached dependency metadata files are now stored entirely as YAML, with .dep.yml extension
  • The Bundler dependency source is now identified in configuration files and output as bundler instead of rubygem
  • Refactored sources for better consistency between classes
  • Refactored commands for better consistency between classes
  • Command outputs have changed for better consistency
  • Updated Dependency classes for better integration with licensee

Fixed

  • Licensed no longer exits on errors when evaluating dependency sources or finding dependencies
  • The Bundler dependency source correctly finds the bundler gem as a dependency in more cases

1.5.2

2018-12-27

Changes

  • Go source added support for Go modules and Golang 1.11+ (#113)

Fixed

  • Licensed will have a non-zero exit code when commands fail (:tada: @parkr #111)

1.5.1

2018-10-30

Fixed

  • Fixed a scenario where licensed wasn't finding bundler dependencies when run as an executable due to a ruby version mismatch (#106)

1.5.0

2018-10-24

Added

  • licensed (version | -v | --version) command to see the current licensed version (:tada: @mwagz! #101)

Fixed

  • NPM source no longer raises an error when ignored dependencies aren't found (:tada: @mwagz! #100)
  • Checking for a Git repo will no longer possibly modify .git/index (:tada: @dbussink #102)
  • Fixed a scenario where licensed wasn't finding bundler dependencies when run as an executable (#103)

1.4.0

2018-10-20

Added

  • Git Submodules dependency source 🎉
  • Configuration option to explicitly set a root absolute path

Changes

  • COPYING file is no longer matched as a legal file

Fixed

  • NPM source will enumerate multiple versions of the same dependency
  • Running Licensed outside of a Git repository no longer raises an error
  • Packaging scripts will correctly return to the previous branch when the script is finished

1.3.4

2018-09-20

Changes

  • Bundler source will avoid looking for a gemspec file when possible

1.3.3

2018-09-07

Fixed

  • Manifest source configuration globs correctly enumerates files from within submodules
  • The manifest source no longer errors when getting version information from submodules

1.3.2

2018-08-15

Fixed

  • Fixed issue when multiple versions of a cabal package are found

1.3.1

2018-08-01

Fixed

  • Fixed regression finding ruby gems by path

1.3.0

2018-07-25

Added

  • Manifests for the manifest dependency source can be specified using glob patterns in the configuration
  • Paths to licenses for dependencies from the manifest dependency source can be specified in the configuration
  • Manifest dependency source looks for license content in C-style comments if a license file isn't found

Changes

  • GitHub is no longer queried to find remote license information
  • Removed custom logic around determining whether to use the license key from licensee
  • NPM dependency enumeration doesn't use npm list
  • Licensed now tracks content from multiple license files when available

Fixed

  • Fixed regression finding platform-specific ruby gems

1.2.0

2018-06-22

Added

  • Building and packaging distributable exes for licensed releases
  • Can now configure which Gemfile groups are excluded from dependency enumeration

Fixed

  • Bundler is no longer always reported as a dependency
  • Set the minimum required ruby version for licensed

1.1.0

2018-06-04

Added

  • Pip dependency source 🎉
  • Go Dep dependency source 🎉

Changed

  • Changed how sources configuration property affects which sources are enabled
  • Raise informative error messages when shell commands fail

Fixed

  • Don't reuse cached license when cached version metadata is missing
  • Disable dependency sources when dependent tools are not available
  • Vendored packages from the go std library are properly excluded
  • Cabal dependency enumeration properly includes executable targets

1.0.1

2018-04-26

Added

  • GOPATH settable in configuration file

Changed

  • Reuse "license" metadata property when license text has not changed

Fixed

  • Path expansion for cabal "ghc_package_db" configuration setting occurs from repository root
  • Local Gemfile(.lock) files correctly used in enumerating Bundler source dependencies

1.0.0

2018-02-20

Initial release 🎉