You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
include_dependencies wired to all 14 clients: Parameter added to every client's get_package_info/get_package_info_async signature so the aggregator's introspection matches. Crates and Maven gate extra dependency-fetching API calls behind the flag.
Crates transitive deps: get_package_info now calls get_dependencies() and includes "dependencies" in the response.
Maven transitive deps: get_package_info now calls get_dependencies() and includes dependency data (with graceful fallback if POM fetch fails).
Manifest parsers for 4 ecosystems: Added _parse_pom_xml (Maven), _parse_podfile/_parse_podfile_lock (CocoaPods), _parse_packages_config (NuGet) to manifest_detector.py.
requires-python from pyproject.toml: Reads [project].requires-python and injects as a python package entry. Ecosystem configurable via UDR_PYTHON_ECOSYSTEM env var.
Non-PEP-440 version normalization: New normalize_version() + strip_numeric_suffix() in constraint_normalizer.py — strips Maven qualifiers (-jre, -android) and Conda build strings (_cp314t). Used for proper cross-ecosystem version sorting.
Cross-ecosystem constraint propagation in SAT fallback: _resolve_with_alternatives now builds a dependency graph, topo-sorts packages, and backtracks respecting cross-ecosystem dependency edges instead of greedy per-package picking.
Mermaid architecture diagrams: Architecture overview, import rules, deployment topology, SAT solver internals, and ER data model — all render natively on GitHub with rich colors and white text
New CLI commands: details, diff, outdated, search, why — 5 new subcommands for package inspection and lock file comparison
New data source clients: Gradle (gradle_client.py), Swift (swift_client.py), Hex/Elixir (hex_client.py), Haskell/Cabal (haskell_client.py) — 4 more ecosystems now supported (total 18)
Orchestrator package: backend/orchestrator/ — shared resolution layer used by both CLI and API, breaking the cli→api import cycle
GitHub workflow enhancements: New benchmark.yml (weekly SAT-solver performance); security-audit.yml enhanced with pip-audit --fix + license compliance; ci.yml data-source parallel job extracted; new dependabot.yml, scorecards.yml
docs/ARCHITECTURE.md: ASCII architecture art replaced with Mermaid graph + import rules + ER diagrams; deeper saturated backgrounds with white text for readability
Root config cleanup: install.sh — dynamic version reading from pyproject.toml or udr --version (removed hardcoded VERSION); Makefile — added .DEFAULT_GOAL=help, --cov-fail-under=70 (consistent with pyproject.toml), removed stale --timeout=120; .env.example — added ENABLE_CSRF + 5 missing ecosystem rate limits; MANIFEST.in — added README_PYPI.md + alembic/ include rules; pytest.ini — removed blanket DeprecationWarning suppression
Desktop: Removed DMG background image to fix transient arm64 build failures; electron-updater moved to dependencies in package.json (runtime dep)
Fixed
@angular/core edge case: _parse_package_spec now handles scoped npm packages without ecosystem suffix (leading @). Unknown ecosystems log a warning instead of silently creating invalid specs.
NPM dependency key location: Now reads dependencies from top-level info["latest_version_info"]["dependencies"] in _aggregator_to_resolver_input.
_find_compatible_versions indentation bug: sys_python check was accidentally nested inside the version_constraint block — now always evaluated.
Critical: email-validator missing from core deps — Imported at top level in backend/run.py:12 but only in [system]/[dev] optional groups. pip install ud-resolver (bare, no extras) crashed on udr serve. Moved to [project.dependencies].
High: httpx missing from core deps — Used in backend/api/main.py:319 health endpoint but only in [dev]/[all]. Health check silently failed when extras not installed. Added to [project.dependencies].
High: starlette not declared — Imported directly in api/main.py and api/middleware.py but never declared in pyproject.toml (relied on transitive dep through FastAPI). Explicitly added to [project.dependencies].
prometheus-fastapi-instrumentator moved to [monitoring] — Was in core deps but only imported conditionally inside a function. Belongs in optional monitoring group.
opentelemetry-exporter-otlp-proto-grpc missing — Imported in backend/tracing_config.py:62 but only -http exporter was declared. Both gRPC and HTTP exporters now in [monitoring].
electron-updater in wrong dependency group — Was in devDependencies in desktop/package.json but imported and used at runtime in main.js. Moved to dependencies.
Security
All 14 ecosystems tested with real APIs in a 43-package megaproject scenario (frontend + backend + AI/ML + inference + system specification with CUDA)
Removed
docs/diagram/architecture.excalidraw — Excalidraw JSON format does not render on GitHub. Replaced with inline Mermaid diagrams.
tests/fixtures/api_responses/ — Stale mock JSON fixtures (conda, npm, pypi). Coverage handled by live data source tests.