oauthlint 0.4.0 — baseline mode, update notifier, 100 rules

oauthlint 0.4.0 makes OAuthLint easy to adopt on an existing codebase and keeps you current with new releases.

The headline is baseline mode: drop OAuthLint into a large repo without drowning in pre-existing findings — record what's there today, then only get alerted on new problems. This release also adds a CLI update notifier, three new rules (the pack is now 100), and safer autofixes.

✨ New

• baseline command + scan --baseline — solves the "we can't turn this on, it lights up 500 findings on day one" problem. oauthlint baseline records current findings with stable, line-shift-resilient fingerprints (rule + relative path + a normalized code snapshot, not line numbers — so findings stay baselined when code moves), and oauthlint scan --baseline reports and gates CI on only the findings not in the baseline. (#34)
• Update notifier — the CLI now tells you when a newer oauthlint is on npm, with the upgrade command. Runs at most once a day (cached, non-blocking, short timeout), prints to stderr only, and is silent in CI, when piped, with --json/--format sarif, NO_UPDATE_NOTIFIER, or --no-update-check. (#35)
• 3 new rules → 100 total: auth.oauth.access-token-in-url (CWE-598, JS/TS — tokens in URLs leak via Referer/logs/history), auth.rust.jwt.no-issuer-validation (CWE-345, jsonwebtoken), auth.java.crypto.weak-hash (CWE-328, MD5/SHA-1 via MessageDigest). (#34)
• Safer autofixes — --fix now resolves auth.rust.tls.accept-invalid-certs and auth.rust.tls.accept-invalid-hostnames (each verified by a fix-then-rescan test). (#34)

📚 Docs

• The npm page and site are current: the GitHub Action (Auspeo/oauthlint/action@v1) and VS Code extension (auspeo.oauthlint-vscode) are live — the old "on the way" copy is gone. Added a site release-announcement banner. (#35)

⬆️ Install / upgrade

npm i -g oauthlint@0.4.0      # or: npx oauthlint@0.4.0 scan ./src

Full changelog: https://github.com/Auspeo/oauthlint/compare/oauthlint@0.3.0...oauthlint@0.4.0