0.2.1

Added

• Track packageManager version from package.json (e.g., "pnpm@9.15.0") as a ToolVersion dependency across all subcommands
  • check: reports current vs latest version from the npm registry
  • update: rewrites the packageManager field in package.json to the latest version
  • Strips Corepack +hash suffixes (e.g., pnpm@9.15.0+sha512.abc...)
  • Works with existing filters: --tools, --npm, --include/--exclude, --outdated

Changed

• Right-align version numbers in the output column when a property name is present
• Sort tool versions last in output for both Maven and npm ecosystems

Fixed

• Skip .pnpm-store/ and other non-project directories during npm discovery to avoid duplicate entries

0.2.0

Added

• update subcommand for updating outdated dependencies
  • Maven: format-preserving POM updates for both managed properties (<properties>) and inline versions (<version>x.y.z</version>) — preserves comments, whitespace, and indentation
  • npm: delegates to native package manager update commands (npm update, pnpm update, yarn upgrade, bun update)
  • --dry-run flag to preview updates without making changes (JSON status: would_update)
  • Structured JSON output with ecosystem, kind, managed, artifact, source, old_version, new_version fields
  • Summary line, elapsed time, progress bar, and exit code 1 on errors (mirrors check output)
• --include/--exclude glob filters for check, update, and audit (e.g., --include 'org.junit:*', --exclude '*:guava', --include 'react*')
• audit subcommand for checking dependencies against known vulnerabilities via OSV.dev
  • Queries both Maven and npm ecosystems using the OSV batch API
  • Fetches full vulnerability details including CVE aliases, severity (CVSS-based), summaries, and advisory URLs
  • --severity filter to show only vulnerabilities at or above a threshold (critical, high, medium, low)
  • Supports all check filters: --maven/--npm, --dependencies/--plugins/--dev-deps, --managed/--unmanaged, --include/--exclude
  • Structured JSON output with vulnerability details
  • Grouped table output with severity-colored labels, summary line, and timing
  • Exit code 1 when vulnerabilities are found
  • Tool versions (Node.js, package managers) are skipped

Changed

• Rename crate to depup-cli for crates.io publishing (cargo install depup-cli installs the depup binary)
• Audit --severity filter now drops dependencies whose vulnerabilities were all below the threshold instead of showing them as clean

0.1.0

Added

• check subcommand with auto-detection of ecosystems (Maven + npm)
• completions subcommand to generate and install shell completions (bash, zsh, fish, elvish, powershell)
• Maven ecosystem: multi-module project discovery, ${version.*} property resolution, plain version number checking, custom repository support (<repositories> and <pluginRepositories>)
• Maven ecosystem: Node.js and package manager version properties (version.node, version.npm, version.pnpm, version.yarn)
• npm ecosystem: auto-detect package manager by lock file or packageManager field in package.json
• npm ecosystem: support for npm, pnpm, yarn (classic), and bun
• npm ecosystem: workspace-aware discovery (skips workspace members)
• Table and JSON output formats with results grouped by ecosystem and kind
• --outdated flag to show only outdated dependencies
• --stable / --releases-only flag to exclude pre-release versions (alpha, beta, RC, milestone)
• Progress bars during version checks (hidden in JSON mode)
• Structured error types with machine-parseable error codes and JSON error envelope
• Exit code 1 when outdated dependencies are found