Releases: containerbuildsystem/cachito
Releases · containerbuildsystem/cachito
cachito-1.13.0
Minimum required Python version
- 3.11
API changes
- None
Bug Fixes
- None
Incompatible changes
- None
Improvements
- None
What's Changed
- Fix "library stubs not installed" mypy error by @brunoapimentel in #924
- OpenTelemetry tracing, with jaeger in development environment. by @mike-kingsbury in #923
- Revert "Bump urllib3 from 1.26.17 to 1.26.18" by @mike-kingsbury in #931
- Change env var for OTEL_EXPORTER_OTLP_ENDPOINT to pull from actual en… by @mike-kingsbury in #933
- Removing pytest otel configuration. by @mike-kingsbury in #934
- Change dependabot PR frequency for minor and patch updates by @brunoapimentel in #935
- Github actions: perform an apt-get update before installing packages by @brunoapimentel in #936
- Patch apt-get commands by @ejegrova in #937
- Fix flaky test for request metrics by @lkolacek in #929
Dependabot updates
- gitpython from 3.1.36 to 3.1.37 in #913
- packaging from 23.1 to 23.2 in #920
- urllib3 from 1.26.12 to 1.26.17 in #921
- psycopg2-binary from 2.9.7 to 2.9.9 in #922
- urllib3 from 1.26.17 to 1.26.18 in #926
- gitpython from 3.1.37 to 3.1.40 in #927
- greenlet from 2.0.2 to 3.0.1 in #928
- grpcio from 1.50.0 to 1.53.0 in #930
Full Changelog: cachito-1.12.0...cachito-1.13.0
Contributors
brunoapimentel, lkolacek, and 2 other contributors
Assets 2
cachito-1.12.0
Minimum required Python version
- 3.11
API changes
- None
Bug Fixes
- Dependency version updates to address CVEs:
- Bump certifi from 2022.12.7 to 2023.7.22
- Bump kombu from 5.2.4 to 5.3.2
- Bump packaging from 21.3 to 23.1
- Bump actions/checkout from 3 to 4
- Bump gitpython from 3.1.30 to 3.1.36
- Bump aiohttp from 3.8.3 to 3.8.5
- Bump cryptography from 41.0.2 to 41.0.4
- Bump backoff from 2.1.2 to 2.2.1
- Bump celery from 5.2.7 to 5.3.4
- Bump pytest from 7.4.0 to 7.4.2
- Bump setuptools from 65.6.3 to 68.2.2
- Bump semver from 2.13.0 to 3.0.1
- Bump flask-migrate from 4.0.4 to 4.0.5
- Bump jsonschema from 4.19.0 to 4.19.1
Incompatible changes
- None
Improvements
- Cachito now clones npm git dependencies directly and then calls
npm packon the cloned directory- This is safer than calling
npm packon a git reference
- This is safer than calling
cachito-1.11.0
Minimum required Python version
- 3.11
API changes
- None
Bug Fixes
-
Dependency version updates to address CVEs:
- Bump attrs from 22.1.0 to 23.1.0
- Bump cryptography from 39.0.1 to 41.0.2
- Bump pytest-asyncio from 0.21.0 to 0.21.1
- Bump jsonschema from 4.17.3 to 4.19.0
- Bump PyYaml to 6.0.1
- Bump psycopg2-binary from 2.9.6 to 2.9.7
- Bump requests from 2.28.1 to 2.31.0
-
Updates to the local development environment (docker-compose):
- Bump athens from 0.11.0 to 0.12.1
- Bump rabbitmq from 3.9 to 3.11
- Add docker.io as the default registry name
Incompatible changes
- None
Improvements
-
Update base image to Fedora 38:
- Bump Golang from 1.19 to 1.20
- Bump npm from 8 to 9
-
Update the pip_find_builddeps script to allow the user to specify the use of wheels
cachito-1.10.0
Minimum required Python version
- 3.11
API changes
- None
Bug Fixes
- Cachito can now process Go modules replaced by parent paths even if they have a major version in the name (e.g.
replace my-parent-module/v3 => ../)- However, this only works if the replaced module is one of the
packagesthat Cachito is told to process
- However, this only works if the replaced module is one of the
Incompatible changes
- None
Improvements
- None
cachito-1.9.0
Minimum required Python version
- 3.11
API changes
- None
Bug Fixes
- The _auth setting in generated .npmrc files is now scoped to the nexus proxy repo for the request
- npm indirect git dependencies are now supported
- Dependency version updates to address CVEs:
- Bump pytest-cov to 4.1.0
Incompatible changes
- None
Improvements
- Support for v3 package-lock.json files introduced in npm v9
cachito-1.8.0
Minimum required Python version
- 3.11
API changes
- The swagger interface was removed (previously added with connexion).
Bug Fixes
- Dependency version updates to address CVEs:
- Bump pytest-asyncio to 0.21.0
- Bump pydantic to 1.10.7
- Bump psycopg2-binary to 2.9.6
- Bump pytest to 7.3.1
- Bump flask to 2.2.5
- Bump prometheus-flask-exporter to 0.22.4
Incompatible changes
- None
Improvements
- Stop reporting false-positive Go modules.
cachito-1.7.0
Minimum required Python version
- 3.11
API changes
- None
Bug Fixes
- Dependency version updates to address CVEs:
- Bump connexion to 2.14.2
- Bump pydantic to 1.10.6
Incompatible changes
- None
Improvements
- Set 10 min network-timeout in .yarnrc files to decrease failure rate
- Properly handle yarn workspaces
- Allow
file:<local-path>dependencies if<local-path>is a workspace - Do not fail when package.json / yarn.lock references a dependency which isn't locked in yarn.lock (it might be a workspace)
- Report workspaces even if they're not present in yarn.lock
- Identify non-dev dependencies of workspaces as non-dev
- Allow
- Properly handle
<alias>@npm:<name>dependencies for yarn- See PYarn release 0.2.0
cachito-1.6.0
Minimum required Python version
- 3.11
API changes
- Connexion is now used to validate API input according to the OpenAPI spec
Bug Fixes
- Dependency version updates to address CVEs:
- Bump cryptography to address GHSA-x4qr-2fvf-3mr5 and GHSA-w7pp-m8wf-vj6r
- Bump prometheus-flask-exporter to 0.22.3
- Bump pytest to 7.2.2
Incompatible changes
- None
Improvements
- None
cachito-1.5.0
Minimum required Python version
- 3.11
API changes
- new
/sbom?requests=id1,id2endpoint with sbom in CycloneDX format, for requested request ids
Bug Fixes
- Cachito now properly identifies NPM 'file:' dependencies that point to workspaces
- previously, this only worked if the name of the dependency was exactly the same as the workspace path
- Added additional integration test coverage
not all the same - workspaces are still not supported for Yarn, only NPM
- When processing gomod dependencies, all invocations of the "go list" command now use the "-e" flag to suppress erroneous errors
- Dependency version updates to address CVEs:
- Bump prometheus-flask-exporter to 0.22.0
- Bump pydantic to 1.10.5
- Bump werkzeug to 2.2.3
Incompatible changes
- None
Improvements
- Cachito images now use a fedora 37 base image, which includes go 1.19
cachito-1.4.0
Minimum required Python version
- 3.10
API changes
- None
Bug Fixes
- pip uses PEP 517 in pip_find_builddeps script
- Updated integration test data for go 1.18.9 stdlib additions
- Dependency version updates to address CVEs:
- Bump flask to 2.2.2
- Bump flask-migrate to 4.0.4
- Bump gitpython to address CVE GHSA-hcpj-qp55-gfph
- Bump greenlet to 2.0.2
- Bump pytest to 7.2.1
Incompatible changes
- None
Improvements
- Allowed gomod local replacements from parent directories