Skip to content

Releases: dfetch-org/dfetch

0.14.3

Choose a tag to compare

@github-actions github-actions released this 26 Jun 17:35

Release 0.14.3 (released 2026-06-25)

  • Update dfetch environment to show newer version inline (#1310)

0.14.2

Choose a tag to compare

@github-actions github-actions released this 21 Jun 10:04

Release 0.14.2 (released 2026-06-21)

  • Fix git auth/redirect errors being silently misidentified as non-git (#1138)
  • Fix WinGet publish workflow blocked on static.crates.io and objects.githubusercontent.com egress endpoints (#1298)

0.14.1

Choose a tag to compare

@github-actions github-actions released this 19 Jun 21:53
ef32ad6

Release 0.14.1 (released 2026-06-19)

  • Implement C-043: add pip-audit OSV gate to the release workflow
  • Add CRA Compliance: OSCAL 1.2.2 Component Definition
  • Fix dfetch import mangling the namespace of a generic VCS URL whose path contains .git (#1268)
  • Fix Version comparison raising AttributeError when compared against a non-Version object (#1268)
  • Fix dfetch add matching remote whose base URL is only string (not path) prefix of the project URL (#1268)
  • Fix git ref resolution spuriously matching the first reference for an empty revision (#1268)
  • Strip the trailing newline from the git origin URL returned by get_remote_url (#1268)

0.14.0

Choose a tag to compare

@github-actions github-actions released this 14 Jun 20:03
fe1ced6

Release 0.14.0 (released 2026-06-14)

  • Update Winget manifest to the Windows Package Manager Community Repository on new release (#1263)
  • Check for new dfetch version during dfetch check & dfetch environment (#1262)
  • Respect the superproject's line-ending preference (#1260)
  • Strip user:password@ userinfo before storing metadata (#1206)
  • Warn when a project URL uses a plaintext transport scheme (#1229)
  • Documentation and threat-model clarifications for existing release attestation support (#1208)
  • Report SVN externals fetched during update (#1220)
  • Use .cdx.json as the default extension for CycloneDX SBOM reports (#1118)
  • Embed base64-encoded license text in SBOM licenses[].text when a license is successfully identified (#1112)
  • Set SBOM licenses to the SPDX expression NOASSERTION when a license file is not found or cannot be classified (#1112)
  • Add a dfetch:license:finding property to SBOM when NOASSERTION is set, explaining the reason (#1112)
  • Add dfetch:license:threshold and dfetch:license:tool SBOM properties (#1116)
  • Add dfetch:license:<spdx-id>:confidence SBOM property for per-licence confidence scores (#1116)
  • Use github purl, repo and version for a github release archive in SBOM (#1063)
  • Allow dfetch freeze to accept project names to freeze only specific projects (#1063)
  • Edit manifest in-place when freezing inside a git or SVN superproject, preserving comments and layout (#1063)
  • Add new remove command to remove projects from manifest and disk (#26)
  • Fix "unsafe symlink target" error for archives containing relative .. symlinks (#1122)
  • Print runtime errors (e.g. svn not available on system) directly in context of the failing subproject instead of collecting and showing them at the end (#1096)
  • Fix dfetch add crashing with a ValueError when the remote URL has a trailing slash (#1137)
  • Fix unhelpful error message when a metadata file is malformed (#1145)
  • Fix arbitrary file write via malicious tar/zip symlink (#1152)
  • Prevent SSH command injection (#1152)
  • Allow manifests with no projects key so dfetch add can bootstrap empty manifest (#1197)
  • Fix ValueError when generating a PackageURL (e.g. for an SBOM) from an empty or path-only remote URL
  • Fix SSH shorthand URLs (git@host:path) being incorrectly joined with / when used as url-base with repo-path (#1247)
  • Run svn+ssh:// connections in non-interactive mode to prevent hanging (#1230)

0.13.0

Choose a tag to compare

@github-actions github-actions released this 31 Mar 11:05

Release 0.13.0 (released 2026-03-30)

  • Add archive (vcs: archive) support for fetching dependencies from .tar.gz, .tgz, .tar.bz2, .tar.xz and .zip files via HTTP, HTTPS or file URLs (#1058)
  • Fix path-traversal check using character-based prefix comparison instead of path-component comparison (#1058)
  • Fix directory hash being non-deterministic across filesystem traversal orders, causing false local-change detection (#1058)
  • Fix dfetch freeze not capturing branch information for SVN projects when only the revision matched (#1058)
  • Rename child-manifests to sub-manifests in documentation and code (#1027)
  • Fix missing closing quote in unfetched-project diagnostic command example (#1070)
  • Fetch git submodules in git subproject at pinned revision (#1013)
  • Add nested projects in subprojects to project report (#1017)
  • Make dfetch report output more yaml-like (#1017)
  • Don't break when importing submodules with space in path (#1017)
  • Warn when src: glob pattern matches multiple directories (#1017)
  • Introduce new add command with optional interactive mode (-i) (#25)

0.12.1

Choose a tag to compare

@github-actions github-actions released this 26 Feb 10:48

Release 0.12.1 (released 2026-02-24)

  • Fix missing unicode data in standalone binaries (#1014)

0.12.0

Choose a tag to compare

@github-actions github-actions released this 21 Feb 21:03

Release 0.12.0 (released 2026-02-21)

  • Internal refactoring: introduce superproject & subproject (#896)
  • Switch from pykwalify to StrictYAML (#922)
  • Show line number when manifest validation fails (#36)
  • Add Fuzzing (#819)
  • Don't allow NULL or control characters in manifest (#114)
  • Allow multiple patches in manifest (#897)
  • Fallback and warn if patch is not UTF-8 encoded (#941)
  • Skip patches outside manifest dir (#942)
  • Make patch path in metadata platform independent (#937)
  • Fix extra newlines in patch for new files (#945)
  • Replace colored-logs and Halo with Rich (#960)
  • Respect NO_COLOR <https://no-color.org/>_ (#960)
  • Group logging under a project name header (#953)
  • Introduce new update-patch command (#614)
  • Introduce new format-patch command (#943)
  • Drop python 3.9 support (#988)

0.11.0

Choose a tag to compare

@github-actions github-actions released this 04 Jan 09:02

Release 0.11.0 (released 2026-01-03)

  • Support python 3.14
  • Drop python 3.7, 3.8 support (#801)
  • Don't show animation when running in CI (#702)
  • Improve logic for creating Purls in SBoM (#780)
  • Add External VCS reference to SBoM if possible (#780)
  • Use CycloneDX schema version 1.6 (#542)
  • Add security policy (#784)
  • Add provenance / release attestation to pypi package (#784)
  • Support multiple licenses per project (#788)
  • Add evidence to sbom report (#788)
  • Let action work outside of dfetch repo (#816)
  • Handle SVN tags with special characters (#811)
  • Don't return non-zero exit code if tool not found during environment (#701)
  • Create standalone binaries for Linux, Mac & Windows (#705)
  • Don't make metadata file part of diff (#267)
  • Fix unneeded project prefix in SVN diffs (#888)
  • Add more tests and documentation for patching (#888)
  • Restrict src to string only in schema (#888)
  • Don't consider ignored files for determining local changes (#350)
  • Avoid waiting for user input in git & svn commands (#570)
  • Extend git ssh command to run in BatchMode (#570)
  • Use native line breaks in dfetch freeze & dfetch import (#327)

0.10.0

Choose a tag to compare

@ben-edna ben-edna released this 13 Mar 08:08
  • Support python 3.13
  • Fix too strict overlapping path check (#684)
  • Show complete URL of child manifests (#683)
  • Show remote name when using default remote (#445)
  • Select HEAD branch as default in git (#689)

0.9.1

Choose a tag to compare

@ben-edna ben-edna released this 31 Dec 11:21
  • Fix pypi publishing