Skip to content

1.5.1

Choose a tag to compare

View all tags
@oscarvalenzuelab oscarvalenzuelab released this 12 Nov 01:10
· 49 commits to main since this release
v1.5.1
72ef162
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v1.5.1 - Architecture Simplification

Changed

Architecture Simplification: purl2notices for Everything

scan_directory now uses purl2notices scan mode exclusively:

  • REMOVED: osslili dependency for scan_directory (still used by check_package)
  • REMOVED: src2purl dependency entirely (replaced by purl2notices)
  • NEW: purl2notices scan mode handles all scanning in one pass:
    • Detects ALL packages including transitive dependencies
    • Extracts licenses from both project source and dependencies
    • Extracts copyright statements automatically from source code
    • No manual PURL extraction needed

Benefits

  • 100% accurate package detection (vs 83-88% fuzzy matching from src2purl)
  • Detects ALL transitive dependencies (e.g., 51 packages vs 8 fuzzy matches)
  • No confusing fuzzy match results
  • Automatic copyright extraction as a bonus feature
  • Simpler architecture: one tool instead of two

For npm projects

  • Scans entire node_modules/ directory (50+ packages)
  • NOT just direct dependencies from package.json (1-2 packages)
  • Includes all transitive dependencies automatically

Deprecated parameters in scan_directory

  • identify_packages - now deprecated, purl2notices always detects packages
  • check_licenses - now deprecated, purl2notices always scans licenses
  • Parameters still accepted for backwards compatibility but have no effect

Updated tool descriptions

  • scan_directory now documents that it detects ALL packages including transitive deps
  • Clarified that for npm projects, this means entire node_modules/ not just package.json
  • Added emphasis on automatic copyright extraction
  • Updated workflow examples to reflect simplified approach

Dependencies

  • Removed: src2purl>=1.3.4 (no longer used)
  • Still kept: osslili>=1.5.7 and upmex>=1.6.7 (used by check_package for archives)

What's Changed

  • v1.5.1: Simplify architecture - use purl2notices for comprehensive scanning by @oscarvalenzuelab in #21
  • Fix purl2notices integration - use JSON format output
  • Fix test mocks to match purl2notices JSON output format

Full Changelog: v1.4.0...v1.5.1

Contributors

oscarvalenzuelab
Assets 2
Loading