Tags from git-pkgs

v0.15.1

2026-03-05T18:36:36Z

Merge pull request #163 from git-pkgs/bump-purl-v0.1.9

Bump github.com/git-pkgs/purl from 0.1.8 to 0.1.9

v0.15.0

2026-02-27T10:26:26Z

Merge pull request #140 from git-pkgs/update-dependencies

Update git-pkgs dependencies

v0.14.0

2026-02-16T11:47:46Z

Merge pull request #120 from git-pkgs/generate-docs

Add Hugo doc generator for website command reference

v0.13.2

2026-02-10T11:42:06Z

Update module versions for user-agent support

registries v0.2.4, vulns v0.1.2, enrichment v0.1.1

v0.13.1

2026-02-09T11:41:13Z

Replace go-git gitignore matcher with custom implementation (#99)

* Replace go-git gitignore matcher with custom implementation

go-git's gitignore.Matcher doesn't handle negation patterns correctly.
Repos with deny-by-default .gitignore patterns (/* then !.github/) cause
DependenciesInWorkingDir and where to skip entire directory trees that
should be visible, breaking diff on clean working trees.

Add internal/gitignore package with a matcher that correctly implements
gitignore semantics: last-match-wins, directory-only trailing slash,
leading/middle slash anchoring, ** in all positions, and pattern scoping
for nested .gitignore files. Verified against git check-ignore.

Remove LoadIgnoreMatcher/IgnoreMatcher from repository.go. Add
GetExcludeDirs for configurable directory skipping via git config.

Ref #98

* Skip escaped wildcards test on Windows

The "escaped wildcards" test case creates files named hello* and hello?
on disk, which Windows does not support. Skip this case on Windows since
it's a filesystem limitation, not a matcher bug.

* Fix phantom diffs for packages with multiple versions in lockfiles

npm lockfiles can contain the same package at multiple versions due to
dependency hoisting (e.g. [email protected] and [email protected]). Both computeDiff
and AnalyzeCommit used single-value maps keyed by package name, so
duplicate versions collapsed to whichever was iterated last. When the
database and working tree paths iterated in different orders, this
produced phantom "modified" entries on clean workspaces.

Replace single-value maps with multi-maps in both locations:

- computeDiff: group by manifest:name, compare version sets when a
package appears at multiple versions
- AnalyzeCommit: replace beforeByName/afterByName with multi-maps so
PreviousRequirement reflects the actual replaced version

Fixes #53

* Support POSIX character classes in gitignore patterns

Git's wildmatch supports POSIX character classes like [[:space:]],
[[:alpha:]], [[:digit:]] inside bracket expressions. Our parseBracket
found the first ] as the closing bracket, splitting [[:space:]] into
[[:space:] plus a literal ]. Fix by skipping past [:...:] sequences
when scanning for the closing bracket.

Test cases adapted from git/t/t3070-wildmatch.sh, including multiple
classes in one bracket and mixing ranges with POSIX classes.

* Handle backslash escapes inside bracket expressions

In wildmatch, \X inside a bracket expression means literal X. The
bracket parser was blindly doubling all backslashes for the regex
engine, which broke patterns like [\-_] (literal dash and underscore),
[\1-\3] (range 1-3), and [[-\]] (range [ to ]).

The fix processes escape sequences during both bracket scanning (so \]
does not prematurely close the bracket) and content building (so \X
resolves to the literal character).

* Use github.com/git-pkgs/gitignore v0.1.0

Replace the internal gitignore package with the standalone module.

* Bump gitignore to v1.0.0

v0.13.0

2026-02-07T12:01:57Z

v0.12.0

2026-02-06T13:06:42Z

Merge pull request #92 from git-pkgs/use-shared-enrichment

Replace internal enrichment with shared module

v0.11.6

2026-02-05T16:49:23Z

v0.11.5

2026-02-05T12:28:54Z

Ignore git submodules when scanning for manifests (#76)

Fixes #72

Manifests and lockfiles found in git submodule directories are now properly ignored by default when scanning the working directory. This prevents dependencies from submodules being incorrectly reported as part of the main repository.

A new --include-submodules flag allows opting in to scanning submodules when needed.

The implementation uses go-git's native Worktree.Submodules() API to detect submodule paths, which are then filtered out during filesystem walks in both the analyzer and where command.

Changes:
- Added GetSubmodulePaths() method to Repository using go-git's submodule support
- Updated DependenciesInWorkingDir() to skip submodule directories by default
- Updated where command to skip submodule directories by default
- Added --include-submodules persistent flag to opt in to scanning submodules
- Updated diff command to respect the flag
- Added comprehensive tests for submodule filtering
- Documented the flag in README.md and docs/internals.md

v0.11.4

2026-01-31T21:28:25Z

v0.11.4

- Fix vulnerability scanning with proper version comparison
- Include Go dependencies in vulnerability scanning
- Auto-reindex in bisect when commits are not indexed
- Group manifest and lockfile entries in history output
- Use purl library for vulns sync PURL generation