Notable changes to the CLI and official extensions are documented in this file.
The sections should follow the order Packaging, Added, Changed, Fixed and Removed.
The format is based on Keep a Changelog.
pipparser failing with whitespace around==in requirement specifier
phylum packageshowing complete packages as analysis failures
phylum packagesubcommand showing unprocessed packages as complete- Packages which cannot be analyzed showing up as having no issues
- Use
suppression_reasoninstead of deprecatedsuppressedfield
- Package subcommand failing to parse API responses
- Extensions for Windows release artifacts
- Phylum project file paths on Windows
- Organization management under the
phylum orgsubcommand - Organization support for existing subcommands
phylum project update --default-labeloption to set a project's default labelphylum project list --no-groupflag to only show personal projects- Full sandbox write access to project directory for building with
yarnextension
- Lockfile parsing of bun-generated yarn lockfiles
- Maven lockfile generation on Windows
phylum batchsubcommand
phylum initwill infer the repository URL fromgit
msbuildparser ignoring uppercaseVersionfields onPackageReference
package-lock.jsonparsing failing for dependencies withoutresolvedfield
- Legacy Gradle lockfiles not overriding manifest files in the same project
- Support for legacy Gradle lockfiles in
gradle/dependency-locks/
- Gradle not generating lockfiles without
dependencyLockingin the manifest
- Sandbox exceptions for
mavenwhen installed viaapt - Log output leaking into
effective-pom.xmlduring lockfile generation
- PNPM v5 lockfile support
- Sandbox exceptions for maven when installed via Homebrew
- Parse
*.csprojfiles withmsbuildparser by default
- PNPM v9 lockfile support
- Support for parsing
go.modfiles with a Go directive of version 1.17 and higher
- Improved
go.sumfile parsing to prevent the parser from listing unused packages
- Sandboxed processes sticking around after CLI is killed with a signal
- Lockfiles with local versions breaking the pip parser
- Lockfile generation not emitting errors for tools writing them to STDOUT
- Improve parsing of non-UTF-8 encoded pom.xml files
SPDXSBOM registry determination from downloadLocationSPDXparsing adding the described package as a dependencySPDXparsing certain text files with optional package fields
- Crashes when parsing invalid lockfiles
phylum group transfersubcommand- Owner email from
phylum group listresults
- Improved sandboxing error message for unsupported kernel versions
- Python lockfile generation with pip in ~/.local
- Python lockfile generation with pyenv
- Parse manifest files with non-standard names
- Lockfile generation for gradle installed under
/opt/gradle
- Add CVE data to
issueDetailsentries when--jsonflag is used forphylum package
- Renamed multiple CLI arguments to avoid the term
lockfilein places where manifests are also accepted - Renamed
lockfileskey inphylum status --jsonoutput todependency_files
- Show project ID after project creation
skip-sandboxoption forparse/analyzeto generate lockfiles without sandbox protectionno-generationoption forparse/analyzeto disable lockfile generation- Optional
--projectand--grouparguments forphylum project status
- Aliased dependency names in
package-lock.json - Aliased dependency names in
yarn.lock
- Gradle lockfile generation with
build.gradle.ktsmanifests - Lockfile generation for non-workspace pnpm projects
- Fixed issue parsing BOM files containing unsupported ecosystems
- Support for the upcoming repository URL feature for
init/project create - New
phylum project updatecommand to update project name and repository URL - New
phylum project statuscommand to print current project information
- Path dependencies for pnpm lockfiles
- Automatic manifest resolution with
init,parse,analyze, andstatuswill no longer return manifests in subdirectories of other manifests
- Pip requirements.txt parser failing with third-party registries
- Workspace lockfile generation for cargo, npm, yarn, and pnpm
- Go lockfile generation
- Ignored manifests with a different ecosystem's lockfile in a parent directory
- Package header printed even when all issues were suppressed
- Parsing fails for extraneous npm packages in package-lock.json
- Support for ingesting CycloneDX
bom.jsonandbom.xmlfiles phylum auth list-tokenssubcommand to list API tokensphylum auth revoke-tokensubcommand to revoke API tokensphylum auth create-tokensubcommand to create API tokens- Ruby ecosystem extension for
bundle - Rust ecosystem extension for
cargo
Gemfile.lockparsing with zero dependencies- Incorrect line numbers when printing errors in TypeScript extensions
- Absolute paths submitted when analyzing manifest files
- Ecosystem extensions not pre-checking
remove/uninstalloperations - Disabled update and uninstall commands in completion for Homebrew users
- Generating lockfiles for
*.csprojfiles
- Include lockfile paths when analyzing projects
- Generate and use API Keys instead of OpenID Connect tokens
- Search for manifests' lockfiles in parent, rather than child directories
- Support for NuGet's
packages.lock.jsonlockfiles - Support for
pnpm-lock.yamllockfiles
- New output format for
phylum analyzeandphylum history <job-id> - Ignore
setup.pywhen apyproject.tomlis present
- Correctly handle line continuations and --hash in
requirements.txtparser - Ecosystem extensions failing with valid arguments
- Lockfile generation for yarn v1
- Add support for parsing additional SPDX locator formats
- Print package manager STDERR when lockfile generation fails
- Use
pipinstead ofpip-toolsfor Python lockfile generation
- Show correct error messages when parsing SPDX SBOMs
- Support more Python manifest files:
requirements.in,setup.py,setup.cfg - Recognize all
requirements*.txtfile names as Python lockfiles
- Allow external
node_modulesdependencies inpackage-lock.json
- CLI will look for the corresponding lockfile when analyzing a manifest file
- Allow analyzing manifest files by generating lockfiles on-demand
phylum statuscommand for printing project and lockfile details- Support
npm-shrinkwrap.jsoninphylum npmextension
pipparser fails for some lines containing commentsyarnparser fails with empty lockfiles
- Handle null job labels in
phylum history --project
- Add extension changelog by @cd-work (#1019)
- Add base option to
phylum analyzeby @cd-work (#1008)
- Switch to policy endpoint for job results by @cd-work (#1006)
- Reformat
phylum historyoutput by @kylewillmon (#1010)
- Allow
phylum pip install -e .on macOS by @kylewillmon (#1017) - Skip analysis with empty package list by @cd-work (#1007)
- Remove
phylum project set-thresholdssubcommand by @cd-work (#1004) - Remove request type from global config by @kylewillmon (#1001)
- Add SPDX SBOM parser by @ejortega (#963)
- Add
pipextension as official extension by @kylewillmon (#980) - Use recursive lockfile search for
phylum initby @cd-work (#979)
- Use
--dry-runoutput forpoetryextension by @cd-work (#957) - Switch default subcommand from
listtohelpby @cd-work (#959) - Fix inconsistent
phylum initwhitespace by @cd-work (#964) - Remove
--forceoption fromphylum analyzeby @kylewillmon (#966) - Move extension API source to extension directory by @cd-work (#969)
- Improve sandboxed process failure message by @cd-work (#972)
- Allow calling
phylumfrom subdirectories by @matt-phylum (#974) - Improve lockfile parsing errors by @cd-work (#992)
- Fix
phylum project linkoverwriting project file by @cd-work (#995) - Add SPDX tag:value parser by @ejortega (#978)
- Make
phylum packagetype argument mandatory by @cd-work (#997)
- Add automatic lockfile detection by @cd-work (#950)
- Fix project history endpoint by @cd-work (#947)
- Fix Go parser ignoring dependencies by @cd-work (#944)
- Improve
phylum initUX by @cd-work (#936)
- Add multi-lockfile ecosystems to analysis summary by @cd-work (#925)
- Add option to specify multiple lockfiles on CLI by @cd-work (#927)
- Fix poetry extension by @cd-work (#926)
- Fix install with poetry extension by @cd-work (#930)
There are no breaking changes in this release. Projects may like to take
advantage of the new .phylum_project file format which accounts for multiple
lockfiles. To do so, simply run the phylum init command from the root of the
project directory. As long as the project and group names used are the same as
before, the existing project ID will be re-linked.
- Add
phylum group deletesubcommand by @cd-work (#916) - Add multi-lockfile support to
phylum initby @cd-work (#910)
- Abort on unknown extension subcommands by @cd-work (#915)
- Fix gem parser for dependencies without version by @cd-work (#919)
- Add multi-lockfile support to
.phylum_projectby @kylewillmon (#902) - Make config file write atomic by @cd-work (#892)
- Fix sandbox executable path resolution by @cd-work (#905)
- Submit single package with
phylum packageby @kylewillmon (#880)
- Fix parser lockfile consistency by @cd-work (#882)
- Add deno.window lib reference to extension_api.ts by @kylewillmon (#890)
- Add
phylum group transfersubcommand by @cd-work (#833) - Add extension helpers for direct API requests by @cd-work (#868)
- Add
--reauthflag tophylum auth loginby @kylewillmon (#879)
- Fix subdir analysis without lockfile parameter by @cd-work (#845)
- Add possible values to
phylum init -tby @cd-work (#849) - Reorder project initialization by @cd-work (#848)
- Ignore parent directory projects for
phylum initby @cd-work (#840) - Skip backup for non-intercepted ecosystem commands by @cd-work (#859)
- Traverse directories to find ecosystem root by @cd-work (#861)
- Restore files on ecosystem extension API failure by @cd-work (#866)
- Fix group prompt during
phylum initby @cd-work (#869) - Don't warn about config search if we didn't recurse by @kylewillmon (#870)
- Downgrade linux builder to 20.04 by @kylewillmon (#835)
- Add poetry lockfile v2 support by @cd-work (#780)
phylum auth set-tokenby @kylewillmon (#786)- Add
--lockfile-typeoption tophylum analyzeby @cd-work (#798) - Add
phylum initsubcommand by @cd-work (#801) - Add lockfile path and type to .phylum_project by @cd-work (#806)
- Add
unsandboxed_runmanifest permission by @cd-work (#777) - Add group member management subcommands by @cd-work (#809)
- Add ignore scripts when updating package-lock.json by @louislang (#791)
- Require "selfmanage" feature flag for
phylum updateby @kylewillmon (#797) - Remove $PATH exception for
runpermission by @cd-work (#784) - Clarify connection between read and run permissions by @kylewillmon (#802)
- Fix
phylum batchcommand by @kylewillmon (#813) - Remove minisign artifacts by @kylewillmon (#815)
- Fix regressions in #816 by @kylewillmon (#817)
- Fix package-lock parsing with 3rd-party registries by @cd-work (#828)
- Avoid stdout when run with
--jsonby @maxrake (#787)
- Permissions extensions API by @andreaphylum (#767)
- Fix environment variable permission prompting by @cd-work (#766)
- Add default sandbox exception for $PATH by @cd-work (#772)
- Fix --package-type option by @kylewillmon (#774)
- Improve strictness of Gradle parser by @cd-work (#771)
- Avoid stdout when run with
--jsonby @kylewillmon (#773) - Re-execute phylum for sandboxing extensions by @cd-work (#765)
- Added ignore certs flag by @andreaphylum (#779)
- Clean up options by @maxrake (#768)
- Add sandbox to extensions API by @cd-work (#673)
- Allow upgrade in phylum extension install by @kylewillmon (#693)
- Include pre-installed extensions by @kylewillmon (#702)
- Add CLI flags for log level control by @cd-work (#731)
- Create project extensions API by @andreaphylum (#709)
- Sign archives with openssl by @kylewillmon (#724)
- Add support for parsing golang lockfiles by @ein-tier (#720)
- Add support for parsing cargo lockfiles by @JosephPhylum (#743)
- Fix local yarn filesystem dependencies by @cd-work (#691)
- Add
./prefix to extension install suggestions by @cd-work (#713) - Add extension description to help output by @cd-work (#730)
- Improve extension subcommand conflict resolution by @cd-work (#740)
- Fix NPM dependency bundling by @cd-work (#750)
- Fix verbosity errors by @cd-work (#749)
- Improve
phylum historyUUID error message by @cd-work (#753) - Fix CLI certificate override modifying config by @cd-work (#747)
- Fix NPM dependency bundling by @cd-work (#752)
- Handle
legacypoetry source type by @louislang (#681) - Fix extension name regex by @cd-work (#684)
- Send an appropriate User-Agent header by @kylewillmon (#666)
- Remove XDG migration code by @kylewillmon (#677)
- NPM and Yarn extensions do not properly exit on threshold violation by @cd-work (#660)
- Duplicate dependencies in
package-lock.jsonaren't handled properly by @cd-work (#661)
- Add support for native certificate store by @cd-work (#652)
- Add project extension APIs by @cd-work (#647)
- Update shim for musl to gnu is broken by @maxrake (#650)
- CLI Extensions by @cd-work @kylewillmon and @andreaphylum
- Restore error trace output by @kylewillmon (#595)
- Use POST for job submission instead of PUT by @kylewillmon (#533)
- Switch to new project thresholds endpoint by @cd-work (#626)
- Fix PHYLUM_API_KEY overwriting config token by @cd-work in #631
- Fix parsing gradle lockfile without classpath by @cd-work in #627
- Fix link dependencies in yarn parser by @cd-work in #621
- Add git dependency support to package-lock.json by @cd-work in #623
- Fix
phylum updatezip decompression errors by @cd-work (#613)
- Remove warnings from generic lockfile parser by @cd-work (#558)
- Remove deprecated
phylum history projectby @cd-work (#563) - Refactor CLI output formatting by @cd-work (#564)
- Ignore empty refresh token from environment by @matt-phylum (#584)
- Better error messages by @kylewillmon (#588)
- Support effective-pom files with site information by @ejortega (#550)
- Fix CI release readme release process by @cd-work (#553)
- Add support for effective-pom.xml workspaces by @cd-work (#493)
- Add
phylum project deletecommand by @kylewillmon (#527) - Add aarch64-unknown-linux-musl builds to release by @kylewillmon (#528)
- Add detailed messages for HTTP conflicts by @cd-work (#491)
- Show a spinner while waiting for API by @samtay (#476)
- Don't require Job ID for
phylum historycommand by @kylewillmon (#525) - Remove user ID from analysis output by @cd-work (#545)
- Add support for
gradle.lockfileby @cd-work (#405) - Add CONTRIBUTING.md documentation by @cd-work (#436)
- Fix stack overflow on Windows by @cd-work (#425)
- Fix error when parsing otherArchives pom.xml field by @cd-work (#458)
- Added build script as workaround for Window debug builds by @andreaphylum (#462)
- Fix messed up spinner output by @samtay (#464)
- Fix SHELL env var assumed to exist during install by @maxrake (#471)
- Use new API endpoint for OIDC redirect by @cd-work (#399)
- Emit unique exit code when failing thresholds by @cd-work (#406)
- Ignore certs everywhere when requested by @kylewillmon (#389)
- Remove Web UI link from analyze output by @cd-work (#397)
- Don't use streaming parsers by @kylewillmon (#401)
- Bump phylum_types version by @kylewillmon (#409)
- Add group support by @cd-work (#381)
- Fix yarn v1 parser with quoted version key by @cd-work (#383)
- Use new format for package analysis endpoint by @cd-work (#384)
- Create
phylum parsecommand by @kylewillmon (#362) - Improve handling of HTTP JSON error responses by @cd-work (#365)
- Improve error messages with HTTP failures by @cd-work (#358)
- Fix non-frozen Pipfile suffix by @cd-work (#366)
- Use new endpoint for ping by @kylewillmon (#369)
- Add support for patched deps in yarn lockfile by @cd-work (#343)
- Add support for http(s) and ssh resolvers in yarn lockfiles by @cd-work (#345)
- Add explicit option to disable thresholds from CLI by @cd-work (#329)
- Don't panic in the javascript lockfile parser by @kylewillmon (#340)
- Use better error for missing lockfiles by @cd-work (#352)
- Add
--bearerparameter tophylum auth tokenby @cd-work (#320)
- Resolve project create errors by @kylewillmon (#332)
- Follow XDG directories spec by @cd-work (#251)
- Existing installs will have config file moved automatically
- Add
uninstallsubcommand to phylum by @cd-work (#239) - Add
--projectparameter tophylum analyzeby @cd-work (#280) - Improve tab completion in ZSH for file path arguments by @kylewillmon (#300)
- Create app directories with mode 700 by default by @cd-work (#289)
- Remove header from
phylum history --jsonoutput by @cd-work (#290) - Fix formatting of
phylum historyproject scores by @cd-work (#297) - Add newline to shell rc files before Phylum entries by @cd-work (#291)
- Filter non-PyPI dependencies from poetry lockfile by @cd-work (#273)
- Hide the
--prereleasearg inphylum updateby @kylewillmon (#302) - Deprecate
phylum history projectby @cd-work (#290) - Remove PyO3 bindings by @eeclfrei (#295)
- Add yarn v2 lockfile support by @cd-work (#247)
- Parse package extras in Python requirements.txt files by @kylewillmon (#271)
- Rename projects subcommand to project by @kylewillmon (#282)
- Improved scripting support
- Remove checkmark from
auth tokencommand by @cd-work (#261) - Set appropriate exit codes on failure by @cd-work (#260)
- Remove checkmark from
- Format "Last updated" field with ISO 8601 by @cd-work (#257)
- Truncate excessive project names by @cd-work (#262)
- Remove table header from projects list json by @cd-work (#264)
- Document the name argument for projects subcommand by @kylewillmon (#283)
- Continue install/upgrade even if quarantine flag isn't found by @kylewillmon (#249)
- Replace Language/Type with Ecosystem by @cd-work (#248)
- Use git_version for version numbers by @kylewillmon (#243)
- Use Ecosystem in
phylum packageoutput by @cd-work (#255) - Add support for new npm package-lock format by @cd-work (#242)
- Create phylum auth token command by @mdx97 (#217)
- Add Python poetry.lock support by @cd-work (#238)
- Add maven support by @ejortega (#178)
- Fix pypi parsing by @ejortega (#182)
- Standardize package type names / add nuget package type by @eeclfrei (#181)
- Add lockfile parsing for C# by @eeclfrei (#189)
- Allow binary to be run without config file by @kylewillmon (#196)
- Restrict settings.yaml file permissions by @kylewillmon (#219)
- Add email to
phylum auth statusby @cd-work (#227) - Fix cryptic errors with invalid auth token by @cd-work (#233)
- Migrate install script to POSIX sh by @cd-work (#235)
- Bring Oauth Support to CLI by @DanielJoyce (#118)
- Better error handling by @DanielJoyce (#145)
- Swap out static_init module for lazy_static by @DanielJoyce (#146)
- Gather files from static builder by @louislang (#147)
- Adding release script by @eeclfrei (#150)
- Updates for recent api changes by @eeclfrei (#160)
- Update sha2 crate due to RUSTSEC-2021-0100 by @ejortega (#161)
- Adding m1/arm build by @eeclfrei (#162)
- Include the error message associated with an http error by @eeclfrei (#163)
- Readme update for v1.2.0 by @furi0us333 (#164)
- Update install script to support m1/arm by @eeclfrei (#165)
- Bump version v1.2.0 by @louislang (#168)
- Option to ignore cert check; various bugfixes
- Add issues filtering; display / error codes cleanup
- Bugfix for deserialization issue
- Tab completion support for zsh and fish
- Support for tmpfs
- Updates to signature verification
- Add support for submitting Python packages; signature verification on upgrade
- Add support for automatically building macOS release
- Add formatted output; refactor subcommands; many other changes for improved usability
- Adding synch submit requests
- Add support for projects and project labels / decrease verbosity of package status
- Minor update to API response format; add
--thresholdargument tostatuscommand
- Update response format of the
statuscommand to match API changes.
- Add support for listing / submitting heuristics.
- Initial release.