All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Updated dependencies as needed for security fixes
- Only supports Ruby 3.0+ due to nokogiri upgrade
- Ensure homepage string is not too long in cabal.rb to avoid DOS attack
- Update dependencies
- Bumped a number of dependencies for security fixes
- Licensed status command will alert on stale cached dependency records (#657)
- Bump nokogiri to resolve vulnerabilities (#648)
- Cocoapods support has been re-enabled using a cocoapods plugin (#644)
- Reviewed and ignored configuration lists support matching on versions and version ranges (#629)
- Licensed should more reliably source dependencies from Gradle >= 8.0 (#630)
- Custom license terms can be added to dependencies via new configuration options (#624)
- Licensed is now integrated with pnpm to enumerate dependencies (#626)
- Dependency version requirements are more relaxed (#619)
- Cocoapods dependency enumeration has been disabled (#616)
- Fixed method signature change in Bundler API with Bundler >= 2.4.4 (:tada: @CvX #614)
- Fixed installation dependency compatibility with Rails >= 7.0 (#616)
- The path to a gradlew executable can be configured when enumerating gradle dependencies (:tada: @LouisBoudreau #610)
- Running gradle tests will no longer fail when gradle is not available (#606)
- Licensed supports Cocoapods as a dependency source (:tada: @LouisBoudreau #584)
- Licensed supports Gradle multi-project builds (:tada: @LouisBoudreau #583)
- Licensed no longer crashes when run with Bundler >= 2.4.0 (:tada: @JoshReedSchramm #597)
- BREAKING: Licensed no longer ships executables with releases (#586)
- BREAKING: Licensed no longer includes support for Go <= 1.11 (#602)
- Updating cached dependency records will more accurately apply
review_changed_license
flag (#578)
NOTICE
files can now be generated without cached files in a repository (#572)
- Licensing compliance status checks can now be used without cached files in a repository (#560)
- Python dependency metadata will be correctly parsed from the ouput of
pip show
(#555)
- Licenses for Python dependencies built with Hatchling are correctly found (#547)
- Swift test fixtures build artifacts are now ignored (:tada: @CvX #524)
- Running cargo test fixture setup no longer deletes test files (:tada: @CvX #525)
- Bundler test fixtures are compatible with latest macOS silicon(:tada: @CvX #528)
- Fix segfaults seen using licensed with ruby 3.0.4 (#530)
- Fix compatibility with latest versions of bundler 2.3 (#535)
- Fix compatibility with latest versions of bundler 2.3 (:tada: @CvX #522)
- Comparing dependency license contents now finds matching contents regardless of the order of the licenses (#516)
- Fixed typo in a link in README.md (#514)
- Elixir testing setup is migrated to erlef/setup-beam (#512)
- Dependencies' legal notice file matching has been made more strict to reduce false positives on code files containing the word
legal
(#510)
- Pip and pipenv sources will find dependency licenses under
dist-info/license_files
when available (#504)
2022-03-17
- Composer dev dependencies can optionally be included in enumerated PHP dependencies (:tada: @digilist #486)
- Getting started usage documentation (#483)
- Initial support for NPM workspaces (#485)
- Transitive dependencies are now enumerated by the
pip
source (#480)
licensed cache --force
will now correctly overwrite existing license classifications (#473)
2022-02-24
2022-02-07
- The npm and pip sources have better protection from strings causing crashes in
Hash#dig
(#450)
2022-01-31
- The npm source handles more cases of missing, optional, peer dependencies (#443)
2022-01-17
- The yarn source will no longer evaluate package.json files that do not represent project dependencies (#439)
2022-01-07
- Malformed package.json files will no longer crash yarn dependency detection (#431)
2021-12-14
- New Yarn enumerator with support for berry versions (#423)
- Error handling cases return correct values in the Yarn enumerator (#425)
- Fixed link in command documentation (:tada: @chibicco #416)
- Fixed minor backwards compatibility issue for Ruby 2.3 support (:tada: @dzunk #414)
- Licensed's own dependencies are cached in the repository and kept up to date with GitHub Actions (#421)
2021-10-07
- Fix evaluation of peer dependencies with npm 7 (:tada: @manuelpuyol #411)
- Manifest source evaluation performance improvements (#407)
2021-09-18
- New cargo source enumerates rust dependencies (#404)
- Removed non-functional files from gem builds (#405)
2021-09-14
- Bundler source will no longer infinitely recurse when enumerating specifications (#402)
- Using the
--sources
command line option will no longer delete skipped sources' cached files (#401)
2021-09-09
- Bundler source works properly again when used outside of
bundle exec
(#397)
2021-09-06
- Updated multiple dependency versions (:tada: @mmorel-35 #385, #389)
- Go homepage links use pkg.go.dev instead of godoc.org (:tada: @mmorel-35 https://github.com/github/licensed/commit/73cfbbe954a3e8c8cbaf8b68253053b157e01b79)
- Local development ruby version changed to 2.7.4 (#393)
- Bundler source correctly finds platform specific dependencies (#392)
2021-08-19
- Application names can be dynamically generated based on the path to the application source (#375)
- Updated command documentation (#378, https://github.com/github/licensed/pull/380/files)
- Updated configuration documentation (#375)
- Cache and status commands give additional diagnostic output when using JSON and YAML formatters (#378)
- Status command will give users a link to documentation when compliance checks fail (#381)
- The bundler source correctly checks that the path bundler specifies a gem is loaded from is a file (#379)
2021-06-16
- Licensed supports Swift/Swift package manager as a dependency source (:tada: @mattt #363)'
- The
source_path
configuration property accepts arrays of inclusion and exclusion glob patterns (#368) - The Nuget source now uses configured fallback folders to find dependencies that are not in found in the project folder (#366)
- The Nuget source supports a configurable property for the path from the project source path to the project's
obj
folder (#365)
- The Go source's checks for local packages will correctly find paths in case-insensitive file systems (#370)
- The Bundler source will no longer unnecessarily reset the local Bundler environment configuration (#372)
2021-05-17
- The bundler source will correctly enumerate dependencies pulled with a
git:
directive (#360)
2021-04-27
This is a major release and includes potentially breaking changes to bundler dependency enumeration.
- The bundler source will return an error when run from an executable. Please install licensed as a gem to continue using the bundler source. Please see the v3 migration document for full details and migration strategies.
2021-04-06
- The pip source works with package names containing periods (:tada: @bcskda #350)
2021-03-29
- The npm source will ignore dependencies that are marked as both extraneous and missing (#347)
2021-03-24
- Support for npm 7 (#341)
- Files in the manifest source will be found correctly for apps that are not at the repository root (#345)
2021-02-09
list
andcache
commands optionally print output in JSON or YML formats using the--format/-f
flag (#334)list
command will include detected license keys using the--licenses/-l
flag (#334)
2020-12-11
- Auto-generating license text for a known license will no longer raise an error if the found license has no text (:tada: @Eun #328)
2020-11-20
- Yarn source correctly finds dependency paths on disk (#326)
- Go source better handles finding dependencies that have been vendored (#323)
2020-10-09
- Shell command output is encoded to UTF8 (#319)
2020-10-04
reviewed
dependencies can use glob pattern matching (#313)
- Fix configuring source path globs that expand into a single directory (#312)
2020-09-23
status
command results can be output in YAML and JSON formats (:tada: @julianvilas #303)
licensed
no longer crashes when parsing invalid YAML from cached records (#306)- NPM source will no longer crash when invalid JSON is returned from npm CLI calls (#300)
- Bundler source is fixed to work properly with
gems.rb
lockfiles (#299)
2020-07-07
2020-06-30
licensed
no longer exits an error code when using the--sources
CLI argument (#290)
2020-06-19
--sources
argument for cache, list, status and notices commands to filter running sources (#287)
cache
command will not remove files outside of enabled source cache paths (#287)
2020-06-09
notices
command properly reads cached dependency notices contents (#283)
2020-06-02
notices
command to create aNOTICE
file for each configured app (#277)
- NuGet source no longer crashes on a non-existent dependency path (#280)
- Go source no longer crashes on a non-existent dependency package path (#274)
2020-05-15
- NPM source ignores missing peer dependencies (#267)
2020-04-28
licensee
minimum version bumped to 9.13.2 (#256)
2020-03-24
- relaxed gem version restrictions on Thor (:tada: @eileencodes #254)
2020-03-19
- Source paths use glob pattern matching (#245)
- Mix source supports updates to mix.lock format (:tada: @bruce #242)
- Go source supports
go list
format changes in go 1.14 (#247)
licensed cache
will flag dependencies for re-review when license text changes (#248)licensed status
will raise errors on dependencies that need re-review (#248)licensee
minimum version bumped to 9.13.1 (#251)
2020-01-03
- Yarn source (#232, #233, #236)
- NPM source has a new option to include non-production dependencies (#231)
- Cabal source will no longer crash if packages aren't found (#230)
2019-11-10
- License text is automatically generated for known licenses when not otherwise available (#223)
- Ignoring dependencies uses glob pattern matching (#225)
2019-11-03
- A number of improvements to the go dependency enumerator
- use
go env GOPATH
as a default if no other GOPATH is found - better compatibility with go modules when finding license content
- better compatibility with vendored go modules
- use a packages godoc.org page as it's homepage
- better checks for standard packages, reducing the amount of cached content
- use
2019-10-26
- Performance improvements during dependency enumeration (:tada: @krzysztof-pawlik-gat #204, #207) (#210)
2019-10-22
- Mix source for Elixir (:tada: @bruce #195)
2019-09-26
status
command will pass if multiple allowed licenses are found (#188)
2019-09-15
- Composer source for PHP (#182)
2019-08-26
- Bundler with/without array settings are properly handled for bundler 1.15.x
2019-08-20
- Using the npm source with yarn, "missing" dependencies are no longer considered errors (:tada: @krzysztof-pawlik-gat #170)
- The bundler source now calls
gem specification
with dependency version requirements (#173)
2019-05-19
- New Pipenv dependency source enumerator (:tada: @krzysztof-pawlik-gat #167)
2019-05-11
- Content hash versioning strategy for go and manifest sources (#164)
- Python source handles urls and package names with "-" in requirements.txt (:tada: @krzysztof-pawlik-gat #165)
2019-04-16
- New Gradle dependency source enumerator (:tada: @dbussink #150, @jandersson-svt #159)
- Metadata added to distributed packages (#160)
- Bundler dependency source loads license key from a gem's cached gemspec file as a fallback (#154)
- Licensed will only raise errors on an empty dependency path when caching records (#149)
- Migrating to v2 will no longer crash trying to migrate cached records that don't exist (#148)
- Reported warnings will no longer crash licensed when caching records (#147)
2019-02-14
- Dependency paths that don't exist on the local disk are reported as warnings
- Cache, status and list output is sorted by app name, source type and dependency name
- Bumped
licensee
gem requirement
2019-02-09
This is a major release and includes breaking changes to the configuration and cached record file formats
- New
migrate
command to automatically update configuration and cached record file formats - New extensible reporting infrastructure
- New base command and source classes to abstract away implementation details
- Cached dependency metadata files are now stored entirely as YAML, with
.dep.yml
extension - The Bundler dependency source is now identified in configuration files and output as
bundler
instead ofrubygem
- Refactored sources for better consistency between classes
- Refactored commands for better consistency between classes
- Command outputs have changed for better consistency
- Updated Dependency classes for better integration with
licensee
- Licensed no longer exits on errors when evaluating dependency sources or finding dependencies
- The Bundler dependency source correctly finds the
bundler
gem as a dependency in more cases
2018-12-27
- Go source added support for Go modules and Golang 1.11+ (#113)
- Licensed will have a non-zero exit code when commands fail (:tada: @parkr #111)
2018-10-30
- Fixed a scenario where licensed wasn't finding bundler dependencies when run as an executable due to a ruby version mismatch (#106)
2018-10-24
licensed (version | -v | --version)
command to see the current licensed version (:tada: @mwagz! #101)
- NPM source no longer raises an error when ignored dependencies aren't found (:tada: @mwagz! #100)
- Checking for a Git repo will no longer possibly modify
.git/index
(:tada: @dbussink #102) - Fixed a scenario where licensed wasn't finding bundler dependencies when run as an executable (#103)
2018-10-20
- Git Submodules dependency source 🎉
- Configuration option to explicitly set a root absolute path
COPYING
file is no longer matched as a legal file
- NPM source will enumerate multiple versions of the same dependency
- Running Licensed outside of a Git repository no longer raises an error
- Packaging scripts will correctly return to the previous branch when the script is finished
2018-09-20
- Bundler source will avoid looking for a gemspec file when possible
2018-09-07
- Manifest source configuration globs correctly enumerates files from within submodules
- The manifest source no longer errors when getting version information from submodules
2018-08-15
- Fixed issue when multiple versions of a cabal package are found
2018-08-01
- Fixed regression finding ruby gems by path
2018-07-25
- Manifests for the manifest dependency source can be specified using glob patterns in the configuration
- Paths to licenses for dependencies from the manifest dependency source can be specified in the configuration
- Manifest dependency source looks for license content in C-style comments if a license file isn't found
- GitHub is no longer queried to find remote license information
- Removed custom logic around determining whether to use the license key from
licensee
- NPM dependency enumeration doesn't use
npm list
- Licensed now tracks content from multiple license files when available
- Fixed regression finding platform-specific ruby gems
2018-06-22
- Building and packaging distributable exes for licensed releases
- Can now configure which Gemfile groups are excluded from dependency enumeration
- Bundler is no longer always reported as a dependency
- Set the minimum required ruby version for licensed
2018-06-04
- Pip dependency source 🎉
- Go Dep dependency source 🎉
- Changed how
sources
configuration property affects which sources are enabled - Raise informative error messages when shell commands fail
- Don't reuse cached license when cached version metadata is missing
- Disable dependency sources when dependent tools are not available
- Vendored packages from the go std library are properly excluded
- Cabal dependency enumeration properly includes executable targets
2018-04-26
- GOPATH settable in configuration file
- Reuse "license" metadata property when license text has not changed
- Path expansion for cabal "ghc_package_db" configuration setting occurs from repository root
- Local Gemfile(.lock) files correctly used in enumerating Bundler source dependencies
2018-02-20
Initial release 🎉