Releases: rad1092/gh-dependency-risk
Releases · rad1092/gh-dependency-risk
gh-dep-risk 0.2.0
Highlights
- Added Python direct dependency local fallback for
requirements.txtand PEP 621pyproject.toml. - Added Poetry and
uv.lockdirect resolved-version/source enrichment. - Added Go modules
go.modlocal fallback withgo.sumchecksum evidence only. - Added Yarn Berry / modern Yarn local fallback for direct
package.jsondeclarations matched to modernyarn.lockentries. - Added Bun text
bun.locklocal fallback andbun.lockbunsupported-only handling. - Hardened edge cases across Python, Poetry, uv, Go modules, Yarn Berry, and Bun.
- Expanded the owned live smoke fixture matrix for read-only release validation.
Scope Boundaries
- Dependency Review API remains the primary path; local fallback runs only when Dependency Review is unavailable.
- No full resolver, full transitive graph reconstruction, registry lookup expansion,
bun.lockbparser, SARIF output, license risk, OSV, or Socket integration is included in this release. - The command remains
gh dep-risk; the stable install path remainsgh extension install rad1092/gh-dep-risk.
Full Changelog: v0.1.8...v0.2.0
gh-dep-risk 0.1.8
- Fixed local fallback against large lockfiles returned by the GitHub contents API with encoding=none by following the blob object instead of failing early.
- Treated npm and Yarn file/workspace-linked packages consistently as local during fallback analysis so they are excluded from external registry age lookups and external transitive attribution.
- Aligned README, RELEASING, CONTRIBUTING, AGENTS, and smoke-test docs with the shipped support matrix: GitHub dependency review for multiple ecosystems, and local fallback for npm, pnpm, and Yarn Classic only.
gh-dep-risk 0.1.7
Full Changelog: v0.1.6...v0.1.7
gh-dep-risk 0.1.6
Full Changelog: v0.1.5...v0.1.6
gh-dep-risk 0.1.5
Summary
gh-dep-risk is a precompiled GitHub CLI extension for on-demand npm pull request dependency risk review.
This release completes the public release-candidate pass and keeps the extension aligned with its current install and workflow behavior.
Highlights
- Adds an MIT license for clear public reuse and redistribution.
- Aligns README and contributor-facing docs with the current extension install, workflow, and release flow.
- Keeps the product shape unchanged: one Go binary, npm-only scope, on-demand CLI workflow.
Validation
go test ./...- release workflow completed successfully
- install-smoke completed successfully on Ubuntu, macOS, and Windows
- real PR validation covered
gh dep-risk pr,--bundle-dir,--comment, and--fail-level
Install
gh extension install rad1092/gh-dep-risk
gh dep-risk versionFull Changelog
gh-dep-risk 0.1.4
Full Changelog: v0.1.3...v0.1.4
gh-dep-risk 0.1.3
Full Changelog: v0.1.2...v0.1.3
gh-dep-risk 0.1.2
Full Changelog: v0.1.1...v0.1.2
gh-dep-risk 0.1.1
Full Changelog: v0.1.0...v0.1.1