Merged
Conversation
github-actions
Bot
force-pushed
the
release-please--branches--main--components--pncli
branch
from
ed77381 to
efb2838
Compare
Contributor
Author
|
🤖 Created releases: 🌻 |
kolatts
pushed a commit
that referenced
this pull request
Apr 5, 2026
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
kolatts
added a commit
that referenced
this pull request
Apr 5, 2026
* feat: add deps command group with CVE scanning and dependency auditing Implements pncli deps with frisk as the primary command and scan, diff, outdated, license-check, and connectivity as auxiliary commands. Replaces the artifactory stub. - deps frisk: scans all deps for CVEs via OSV.dev querybatch, returns structured remediation paths in JSON for agent consumption (Tier 3) - deps scan: local-only dependency inventory across npm, NuGet, Maven - deps diff: dep changes between two git refs using git show - deps outdated: latest versions via Artifactory REST (Tier 2) - deps license-check: license data per package via Artifactory (Tier 2) - deps connectivity: diagnoses which tier is available Parsers handle package-lock.json (v2/v3), yarn.lock, pnpm-lock.yaml, .csproj/packages.lock.json/Directory.Packages.props/packages.config, pom.xml, build.gradle, and gradle.lockfile. Artifactory config uses flat npmRepo/nugetRepo/mavenRepo fields. Each ecosystem repo is independently optional — missing repos are skipped silently. config init updated with opt-in Artifactory wizard section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: update copilot-instructions for deps command group Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: auto-stage copilot-instructions.md in pre-commit hook The build step regenerates copilot-instructions.md — stage it automatically so it's never left out of a commit. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: address PR #7 review comments Security: - Replace execSync string interpolation with execFileSync + arg arrays in readFileAtRef and scanRepoAtRef to prevent shell injection from user-controlled --from/--to refs Parser fixes: - yarn.lock: fix blockRegex to match scoped packages (@scope/name); classify direct vs transitive using package.json dep lists and respect opts.includeTransitive - pnpm-lock.yaml: same direct/transitive classification fix; pass packageJsonContent through for cross-referencing - nuget: remove dead propsFiles map that was populated but never read - maven: resolveProperty now returns null when a ${placeholder} remains unresolved, so callers correctly fall through to dependencyManagement versions instead of emitting invalid version strings Diff fixes: - Key on ecosystem:name:source instead of ecosystem:name to preserve multiple versions of the same transitive dep (common in npm) - summary.unchanged now computed directly from the key set rather than mixing collapsed/uncollapsed counts Directory.Packages.props: walk up parent directories to repo root instead of only checking the manifest's own directory (props files are typically at repo root in central package management) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(main): release 1.1.0 (#5) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: Jira error deserialization, Connection header, and exit codes (#8) * fix: Jira error deserialization, Connection header, and exit codes - Parse Jira 400 responses correctly: read errorMessages (string[]) and errors (Record<string,string>) instead of broken array indexing - Add Connection: close header to Jira and Bitbucket requests - Introduce src/lib/exitCodes.ts with sysexits-style codes (69, 77, 78) - fail() now maps HTTP 401/403 → 77, network failures → 69, general → 1 - Replace all hardcoded exit code literals with named constants Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: address PR feedback — array errors shape and ExitCode return type - Handle errors-as-array (other APIs) alongside errors-as-object (Jira) - Tighten exitCodeFromStatus return type to ExitCode union Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Sunny Kolattukudy <sunny@imagile.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: address second round of PR #7 review comments - Add shared semver utility (semver.ts) with pre-release/build-metadata aware comparison, replacing lossy strip-non-numeric logic in diff and artifactory client - Rename remediation snake_case fields to camelCase (fixAvailable, fixedVersions) to match rest of CLI output shape - Remove always-true availableInArtifactory field; add uncheckedEcosystems to OutdatedData so callers know which ecosystems had no repo configured - Drop unused repoRoot parameter from parseManifests - Implement NuGet manifest deduplication: when multiple project files share the same packages.lock.json, keep only one representative to avoid inflated package counts - Add Kotlin DSL / Groovy parenthesised form support to parseBuildGradle (handles both implementation("g:a:v") and implementation 'g:a:v') - Fix Artifactory config init prompt — deps frisk uses OSV.dev, not Artifactory; prompt now only mentions outdated and license-check Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: use write callback before process.exit to avoid libuv assertion on Windows process.exit() called synchronously after process.stdout/stderr.write() triggers a libuv assertion on Windows because the write handle is torn down before the kernel flushes the buffer. Move process.exit() into the write callback in output.ts fail() and http.ts dry-run paths. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Sunny Kolattukudy <sunny@imagile.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 I have created a release beep boop
1.1.0 (2026-04-05)
Features
This PR was generated with Release Please. See documentation.