v0.1.12

Changed

• Reduce native npm prebuilt package size by stripping release binaries and using panic=abort in release builds.
• Update Socket package score gates for native prebuilt packages while keeping strict Vulnerability/License and critical/high alert checks.

Verification

• PR #16 release gate, CodeQL, CodeQL Rust, and OpenSSF Scorecard passed.
• Local package/install and npm package checks passed before release.

v0.1.11

Changed

• Add the OpenSSF Best Practices Passing badge to the README after the project reached Passing level.
• Remove internal helper-agent workflow notes, historical cloning notes, and duplicate upstream issue drafts from the public repository documentation.
• Update OpenSSF Best Practices evidence documentation to reflect the Passing status and the honest N/A handling for cryptography and memory-unsafe dynamic-analysis criteria.

Verification

• PR #14 release gate passed.
• Local RUN_RELEASE_CANDIDATE=0 scripts/prepublish-check.sh passed, including package/install checks and cargo publish --dry-run --locked.

v0.1.10

Summary

• Make npm/GitHub README onboarding npm-first and fix npm-safe documentation links.
• Refresh public benchmark evidence across README, release docs, and changelog.
• Tighten docs.rs quality with complete public rustdoc coverage and a missing-docs release gate.
• Narrow generated prebuilt npm package keywords so platform packages do not compete with the main package in npm search.
• Publish metadata/package-only improvements without changing the detector core.

Validation

• scripts/prepublish-check.sh
• Public benchmark gate:
  • React JavaScript: 50.32x, compat pass
  • Next.js TypeScript: 55.10x, compat pass
  • Prometheus Go: 59.11x, compat pass

v0.1.9

Summary

• Refresh the npm README with the self-updating Socket /latest badge URL.
• Keep npm publication strict on registry integrity, signatures, and provenance while allowing fresh Socket pendingScan results during the immediate post-publish window.
• Add a strict scheduled/manual Socket score workflow for post-indexing checks.
• Make the server compatibility harness use dynamic ports.

Validation

• scripts/prepublish-check.sh
• Public benchmark gate:
  • React JavaScript: 52.77x, compat pass
  • Next.js TypeScript: 55.33x, compat pass
  • Prometheus Go: 58.23x, compat pass

v0.1.8

Summary

• Publish a clean patch release through the retained GitHub Release automation so npm provenance for the latest package version resolves to a retained source commit.
• Include the README badge grouping and npm publish rerun fixes that landed after the 0.1.7 publication.

Validation

• scripts/prepublish-check.sh
• Public benchmark gate:
  • React JavaScript: 46.67x, compat pass
  • Next.js TypeScript: 53.16x, compat pass
  • Prometheus Go: 57.25x, compat pass

v0.1.7

Changed

• Reduce the Rust supply-chain surface by reverting the direct getrandom
  dependency from 0.4 to the stable 0.2 line used before 0.1.5. This removes
  the extra WASI/WIT transitive dependency tail added by the major update while
  keeping OS-backed MCP session IDs.
• Configure Dependabot to keep grouped Cargo dependency updates to minor and
  patch releases, and explicitly ignore future major getrandom bumps unless
  a security advisory or concrete platform need justifies the larger dependency
  graph.

v0.1.6

Added

• Added repo ownership and supply-chain maintenance signals: CODEOWNERS, OpenSSF Scorecard workflow and badge, root .editorconfig, and a project code of conduct.
• Added release-gate checks for GitHub Actions syntax through actionlint and Rust dependency policy through cargo-deny.
• Added post-publication npm registry checks for package integrity, registry signatures, SLSA provenance attestations, and npm audit signatures.
• Added Socket package score regression checks for the main npm package and prebuilt platform packages.

Changed

• Improved prebuilt npm platform package metadata and README supply-chain notes.
• Removed the npm test:npm-package script from published package metadata; repository-only scripts stay out of npm tarballs.
• Hardened server/MCP tests against parallel temp-dir collisions.

Validation

• Passed local scripts/prepublish-check.sh on commit 1999e2d.
• Public benchmark gate passed: React 53.08x, Next.js 58.11x, Prometheus 56.99x versus upstream jscpd.

v0.1.5

Changed

• Updated GitHub Actions dependencies used by CI and release automation.
• Updated getrandom to 0.4 and adapted MCP session ID generation to getrandom::fill.

Release checks

• Full prepublish gate passed locally before tagging.
• Public benchmark gate: react 51.59x, next 50.30x, prometheus 53.53x versus upstream jscpd.

jscpd-rs v0.1.4

Packaging/security release focused on npm supply-chain signals.

• Removed npm install-time builds: the main npm package no longer declares a postinstall lifecycle script and no longer invokes Cargo during install.
• Shrunk the main npm package to runtime shim files plus metadata/docs needed by users.
• Kept prebuilt-first npm runtime; unsupported npm platforms should use cargo install jscpd-rs --locked.
• Added SECURITY.md, CONTRIBUTING.md, and Dependabot configuration.
• Updated package checks to prevent install lifecycle scripts from returning and to smoke-test local platform packages.

jscpd-rs v0.1.3

Patch release focused on release reliability and install safety.

Changes:

• GitHub Release publication now runs the release-candidate gate before npm and crates.io publishing.
• Main npm package publication is blocked if any configured prebuilt platform package is missing or failed.
• Release-candidate flow now enforces the core coverage gate.
• Added an advisory server benchmark for native vs upstream /api/check latency.
• Refreshed npm, prebuilt-binary, release-readiness, and README documentation for the prebuilt-first install path.