v0.6.2

Bugfix/Maintenance release.

What's Changed

• Gemnasium: Fix Gemnasium ranges with spaces (#236). Thanks @pjacobsen-utilimarc!
• Gemnasium: Remove outdated hotfix. (#236). Thanks @pjacobsen-utilimarc!
• Gemnasium: Fixed an issue with (invalid) identifiers having trailing dots e.g. >=1.4..
• Dependencies: Bump packaging from 22.0 to 23.0 (#173).
• Dependencies: Bump packaging from 23.0 to 23.1 (#209).

New Contributors

• @pjacobsen-utilimarc made their first contribution in #236

Full Changelog: v0.6.1...v0.6.2

v0.6.1

Bugfix/Maintenance release.

What's Changed

• CLI: Remove duplicate error/warning when sources are passed via CLI instead. (#163). Thanks @AIGeneratedUsername!
• Dependencies: Support packaging >=21,<23.0. (#162). Thanks @whardier!
• Dependencies: Bump types-toml from 0.10.8 to 0.10.8.1 (#156)
• Dependencies: Bump mypy from 0.990 to 0.991 (#157)
• Actions: Bump actions/setup-python from 4.3.0 to 4.3.1 (#160)

Full Changelog: v0.6.0...v0.6.1

v0.6.0

Feature release.

This release breaks .skjoldignore files when containing PyUP identifiers (See #148). You might need to re-add them to the ignore file using the CVE or new PyUP identifier.

Changes

• PyUP: Use 'cve' field as 'pyup' identifier. (#149). Thanks @joakimnordling!
• Dependencies: Bump mypy from 0.981 to 0.982 (#141)
• Dependencies: Bump black from 22.8.0 to 22.10.0 (#144)
• Dependencies: Bump pytest-mock from 3.9.0 to 3.10.0 (#143)
• Dependencies: Bump pytest from 7.1.3 to 7.2.0 (#146)
• Dependencies: Bump types-pyyaml from 6.0.12 to 6.0.12.1 (#147)
• Dependencies: Bump pytest-sugar from 0.9.5 to 0.9.6 (#151)
• Dependencies: Bump mypy from 0.982 to 0.990 (#152)
• Dependencies: Bump types-pyyaml from 6.0.12.1 to 6.0.12.2 (#153)
• Actions: Bump actions/checkout from 3.0.2 to 3.1.0 (#142)
• Actions: Bump actions/setup-python from 4.2.0 to 4.3.0 (#145)

Full Changelog: v0.5.1...v0.6.0

v0.5.1

Hotfix release.

Changes

• PyUP: Use more_info_path to create correct pyup.io URLs (#140). Thanks @joakimnordling!
• Dependencies: Bump types-pyyaml from 6.0.9 to 6.0.12 (#134).
• Dependencies: Bump types-toml from 0.10.7 to 0.10.8 (#124).
• Actions: Bump coverage from 6.4.1 to 6.5.0 (#138).
• Actions: Bump actions/setup-python from 4.0.0 to 4.2.0 (#128, #122).

Full Changelog: v0.5.0...v0.5.1

v0.5.0

Feature / Hotfix release.

Breaking: This version drops support for Python 3.6 (#117) and adds the filename to both output formats (#118).

Changes

• Packaging: Switch to poetry-core (#91). Thanks @fabaff!
• Gemnasium: Properly handle false positives/withdrawn CVEs marked with (,0) (#90). Thanks @stesix!
• OSV: Support latest OSV/PyPA schema (only using ECOSYSTEM + versions) (#115). Thanks @Kurt-von-Laven!
• Feature: Support handling multiple input files (#118). Thanks @joakimnordling!
• Actions: Bump actions/checkout from 2.3.4 to 2.4.0 (#82).
• Actions: Bump actions/setup-python from 2.2.2 to 2.3.2 (#93).
• Breaking: Drops support for Python 3.6 (#117)

Full Changelog: v0.4.1...v0.5.0

v0.4.1

Hotfix release.

Changes

• Github: Properly parse/handle github fixed version specifiers e.g. = 1.4.2. Fixes #61. Thanks @brondsem!
• Github: Show correct environment variable name if Github API Token is not defined. See #62. Thanks @markus-k!

v0.4.0

Feature/Maintenance release.

Important!: From this release onwards skjold depends on/uses packaging instead of poetry-semver (See #52 for details).

Changes

• Use packaging for parsing versions instead of poetry-semver. See #52
• Display helpful message if Github Token is not found/set when using the github source. See #56
• Updated dependencies.

v0.3.2

Bugfix release.

Changes

• Removing verbose flag from .pre-commit-hook.yaml as it is only supposed to be used during debugging. See Comment Thanks @asottile!
• Bump types-pyyaml from 0.1.9 to 5.4.3 (#49)

v0.3.1

Bugfix release.

Changes

• Bumps minimal click version to 8.x to fix issue with changed get_default signature.

v0.3.0

Feature / Maintenance release.

Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

Breaking Changes

• CLI: skjold will now always write the number of ignored findings and vulnerable packages to stderr. The rest of the output json or cli are still written to stdout for easier redirection.

Changes

• CLI: Temporarily or permanently ignore findings based on their source identifiers added to .skjoldignore. (See #47) Thanks @micheller!
• CLI: skjold now outputs ignored findings when using cli or json output formats.
• OSV/PyPA Advisory DB: Initial support for using either osv or pypa as sources. (See #45)
• CLI: Advisories with additional references are added to the cli output if present.
• Bumps mypy to 0.902
  • Moves mypy.ini to pyproject.toml.
  • Adds types-toml and types-PyYAML as dev dependencies.
• Update README.md.