What's Changed

• Add CodSpeed continuous performance testing by @codspeed-hq[bot] in #282
• fix(fuzz): migrate fuzz targets to name_span/version_span API by @mpiton in #287
• fix(parsers/cargo): guard against TextSize underflow on malformed input by @mpiton in #288
• fix(parsers/cargo): exclude trailing newline from line_ranges by @mpiton in #289
• [US] pnpm-workspace-catalog-support: support pnpm workspace catalog dependencies by @mpiton in #318
• chore(deps): update project dependencies by @mpiton in #319
• chore(release): prepare v1.9.0 by @mpiton in #320

Full Changelog: v1.8.1...v1.9.0

Contributors

• @mpiton

What's Changed

• fix(npm): accept boolean deprecated field on version metadata by @mpiton in #278
• chore(release): v1.8.1 by @mpiton in #279

Full Changelog: v1.8.0...v1.8.1

Contributors

• @mpiton

What's Changed

• deps: consolidate Dependabot updates (April 2026) by @mpiton in #251
• Track Cargo dep package field, and name and version lines by @DanikVitek in #250
• feat: Add Maven/pom.xml support (#223) by @mpiton in #252
• refactor: drop unused Serialize/Deserialize derives on Dependency/Span by @mpiton in #254
• feat: scan lockfiles for transitive vulnerability detection (#224) by @mpiton in #255
• feat(scan): add HTML output format for vulnerability reports by @mpiton in #260
• fix: handle bare PEP 440 pre-release in version comparison (#154) by @mpiton in #261
• feat: add 'Ignore package' code action (#226) by @mpiton in #262
• document npm OSV vulnerability scan by @mpiton in #264
• fix: limit OSV RustSec advisory concurrency by @mpiton in #265
• fix(registries): sanitize repository and homepage URLs for npm and Packagist (#230) by @mpiton in #266
• perf(cache): make ReadCache/WriteCache async, offload SQLite to spawn_blocking by @mpiton in #267
• feat(cache): hybrid memory+SQLite advisory cache for RustSec data by @mpiton in #268
• refactor(parsers): introduce LockfileResolver trait (#239) by @mpiton in #269
• refactor(python): decompose parse_pyproject_toml using taplo spans (#240) by @mpiton in #270
• perf(parsers): replace string-scan with span-aware JSON parser (#236) by @mpiton in #271
• chore: untrack docs/plans by @mpiton in #272
• docs: enhance API documentation with Rustdoc comments by @mpiton in #273
• chore(docs): enforce rustdoc quality via lints + CI by @mpiton in #274
• docs(tutorials): add contributor guide for adding languages by @mpiton in #275
• docs: comprehensive architecture guide for contributors (#232) by @mpiton in #276
• chore(release): v1.8.0 + dependabot upgrades by @mpiton in #277

Full Changelog: v1.7.0...v1.8.0

Contributors

• @DanikVitek
• @mpiton

What's New

Added

• Add support for PEP 735 [dependency-groups] in pyproject.toml — versioned dependencies are parsed, include-group references and unversioned items are skipped (#219)
• Add support for Hatch environment dependencies in pyproject.toml ([tool.hatch.envs.*]) and hatch.toml ([envs.*]), parsing both dependencies and extra-dependencies (#220)

Changed

• Bump sha2 from 0.10 to 0.11 in dependi-zed (digest 0.11 migration)
• Bump actions/configure-pages from v5 to v6 and actions/deploy-pages from v4 to v5 in CI
• Update all Cargo lockfiles with latest compatible dependency versions

Security

• Bump requests from 2.32.4 to 2.33.0 in Python fuzz corpus — insecure temp file reuse in extract_zipped_paths() (#213)

Full Changelog: v1.6.1...v1.7.0

What's Changed

• feat(python): add support for PEP 735 [dependency-groups] by @benediktziegler in #219
• feat(python): add hatch env parsing support by @benediktziegler in #220
• chore(deps): bump requests from 2.32.4 to 2.33.0 in /dependi-lsp/fuzz/corpus/fuzz_python by @dependabot[bot] in #213
• ci: bump actions/configure-pages from 5 to 6 by @dependabot[bot] in #214
• ci: bump actions/deploy-pages from 4 to 5 by @dependabot[bot] in #215
• deps: bump sha2 0.10→0.11 and update all lockfiles by @mpiton in #221
• chore: release v1.7.0 by @mpiton in #222

New Contributors

• @benediktziegler made their first contribution in #219

Full Changelog: v1.6.1...v1.7.0

Contributors

• @mpiton
• @dependabot
• @benediktziegler

Fixed

• Fix false-positive "update available" diagnostic when Cargo.lock contains multiple versions of the same crate (e.g., hashbrown 0.15.5 pulled by a transitive dep and hashbrown 0.16.1 used directly). The root package's dependencies list is now used to select the correct locked version (#210)

Full Changelog: v1.6.0...v1.6.1

What's Changed

• fix: resolve correct version for multi-version crates in Cargo.lock by @mpiton in #211
• chore: release v1.6.1 by @mpiton in #212

Full Changelog: v1.6.0...v1.6.1

Contributors

• @mpiton

Highlights

• Lockfile resolution for all 8 ecosystems — eliminates false-positive "update available" warnings by reading resolved versions from lockfiles (Cargo.lock, package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock, poetry.lock, uv.lock, go.sum, composer.lock, pubspec.lock, packages.lock.json, Gemfile.lock)
• MSRV bump to Rust 1.94 — enables stable let-chains, fmt::from_fn, and inlined format args
• hashbrown HashMap/HashSet — replaces std::collections for more flexible usage and reduced allocations
• GLIBC 2.17 compatibility — Linux binaries now work on Ubuntu 22.04 and WSL via cargo-zigbuild

Added

• Add lockfile version resolution for Node.js, Python, Go, PHP, Dart, C#, and Ruby ecosystems (#186)

Changed

• Bump MSRV from 1.85 to 1.94; adopt stable let-chains, fmt::from_fn, and inlined format args
• Use hashbrown::Hash{Map, Set} instead of std::collections::Hash{Map, Set}
• Update toml 1.0.6 → 1.0.7 and transitive dependencies

Fixed

• Fix false-positive "update available" reports with minimal version syntax via Cargo.lock resolution (#184)
• Fix false-positive vulnerability reports by normalizing version operators (#181)
• Fix GLIBC compatibility on older Linux systems (Ubuntu 22.04, WSL) (#198)
• Fix hardcoded "crates.io" in yanked diagnostics, negative timestamps, hover panel version, and truncation edge case (#201)
• Use async I/O for lockfile discovery; use env::var_os for CARGO_HOME

Security

• Update rustls-webpki 0.103.9 → 0.103.10 (certificate revocation fix)
• Update aws-lc-sys 0.38.0 → 0.39.0 (CRL and X.509 Name Constraints fix)

Full Changelog: v1.5.0...v1.6.0

What's Changed

• fix: normalize version operators before OSV queries by @mpiton in #182
• fix: use Cargo.lock resolved versions for minimal version syntax by @mpiton in #185
• feat: add Node.js lockfile version resolution by @mpiton in #190
• feat: add Python lockfile version resolution by @mpiton in #191
• feat: add Go lockfile version resolution (go.sum) by @mpiton in #192
• feat: add PHP lockfile version resolution (composer.lock) by @mpiton in #194
• feat: add Dart lockfile version resolution (pubspec.lock) by @mpiton in #195
• feat: add C# lockfile version resolution (packages.lock.json) by @mpiton in #196
• feat: add Ruby lockfile version resolution (Gemfile.lock) by @mpiton in #199
• fix: use cargo-zigbuild to target GLIBC 2.17 for Linux builds by @mpiton in #200
• feat: Bump MSRV to 1.94 and utilize new language features by @DanikVitek in #197
• fix: pre-existing bugs found during PR #197 review by @mpiton in #202
• chore(deps): Update dependencies and fix security vulnerabilities by @mpiton in #205
• docs: sync documentation with current codebase state by @mpiton in #206
• refactor: remove deprecated Cache type alias by @mpiton in #207
• refactor: Use hashbrown::HashMap instead of std::collections::HashMap by @DanikVitek in #204
• chore: release v1.6.0 by @mpiton in #208

New Contributors

• @DanikVitek made their first contribution in #197

Full Changelog: v1.5.0...v1.6.0

Contributors

• @DanikVitek
• @mpiton

Highlights

• Clickable dependency links — package names now link to their registry pages (crates.io, npm, pub.dev, PyPI, etc.) (#171)
• Linux ARM64 support — release binaries for devcontainers on Apple Silicon (#169)
• r2d2_sqlite replaced — custom ConnectionManager unblocks future rusqlite upgrades (#178)

What's Changed

Added

• Add clickable links on dependency names to open package registry pages (#171)
• Add Linux ARM64 (aarch64-unknown-linux-gnu) release binary (#169)

Changed

• Replace r2d2_sqlite with custom SqliteConnectionManager (#178)
• Bump rusqlite from 0.38 to 0.39 (bundled SQLite 3.51.3)
• Bump reqwest from 0.12 to 0.13 (rustls default TLS backend)
• Bump chrono 0.4.44, toml 1.0.6, tracing-subscriber 0.3.23

Removed

• Remove r2d2_sqlite dependency

Fixed

• Fix pubspec.yaml inline comments showing false positive outdated warnings (#170)

Security

• Bump quinn-proto to 0.11.14 (RUSTSEC-2026-0037)
• Bump time to 0.3.47 (RUSTSEC-2026-0009)

Full Changelog: v1.4.4...v1.5.0

What's Changed

• fix: disable ANSI escape sequences in LSP log output by @mpiton in #163
• chore: consolidate CI dependency upgrades and bump Cargo packages by @mpiton in #164
• chore: release v1.4.4 by @mpiton in #165
• feat: add Linux ARM64 release binary for devcontainers on Apple Silicon by @mpiton in #174
• fix: strip inline YAML comments from pubspec.yaml versions by @mpiton in #175
• feat: add clickable document links to package registry pages by @mpiton in #176
• chore: bump reqwest to 0.13, chrono, toml, tracing-subscriber by @mpiton in #177
• refactor: replace r2d2_sqlite with custom ConnectionManager by @mpiton in #179
• release: 1.5.0 by @mpiton in #180

Full Changelog: v1.4.3...v1.5.0

Contributors

• @mpiton

What's Changed

• fix: disable ANSI escape sequences in LSP log output by @mpiton in #163
• chore: consolidate CI dependency upgrades and bump Cargo packages by @mpiton in #164

Full Changelog: v1.4.3...v1.4.4

Contributors

• @mpiton

What's Changed

• Better detection of python requirements and constraints by @dargor in #156
• fix: handle pre-release versions in Python ~= operator by @mpiton in #157
• ci: grant checks:write permission to security-audit job by @mpiton in #158
• chore: release v1.4.3 by @mpiton in #159

Full Changelog: v1.4.2...v1.4.3

Contributors

• @dargor
• @mpiton

What's Changed

• fix: handle Python compatible release operator (~=) correctly by @mpiton in #152
• chore: release v1.4.2 by @mpiton in #153

Full Changelog: v1.4.1...v1.4.2

Contributors

• @mpiton