v0.6.0

What's Changed

• Update references from "environments" to "groups" in README.md.
• Improve error messages for missing or invalid directories.
• Remove a Bundler warning about an outdated bundler gem version.
• Add the number of ignored packages to the report when it is empty.
• Enhance the package summary with ignored counts per category.
• Add support for Ruby versions 2.6 and 3.3.
• Add markdown format support for easy pasting into maintenance logs.
• Add a default CLI command and remove "report" from the CLI.

Bug Fixes

• Fix an issue that causes ignored packages to be displayed.
• Fix an issue with handling directory paths that include spaces.
• Fix an invalid exit code when packages are ignored.

v0.5.1

Fix a bug that hid packages with custom groups.

Any custom groups that were defined by users in Gemfile were ignored because the script incorrectly assumed that only specific groups were allowed to be defined. As a result, the script returned an incomplete list of dependencies.

v0.5.0

• Fix an issue that used the wrong Gemfile when explicitly specifying project path.
• Add a loading spinner to indicate that the script is still running.
• Introduce multi-threading when auditing different technologies. This dramatically speeds up execution when there is more than one technology within a project.
• Fix an issue with the gem returning an incorrect exit code. Now it correctly returns 0 when no packages are found, and 1 otherwise.
• Cap non-production environment risk to low (was medium).
• Introduce the environment filter within the CLI. Now the script can show packages for specific environments only.
• Change all reports to have the same columns by default to ensure consistency.
• Remove the need to do bundle install before Ruby auditing. Ruby gems are now resolved remotely and instead of locally, which eliminates the annoying requirements to have the gems be installed locally

v0.4.1

Fix a bug with regex used for parsing yarn.lock. (@NavneetKaur0111)

The previous version of the regex incorrectly looked for exact package names preceded by any character which resulted in false matches (e.g. [email protected] matched @types/[email protected]). This resulted in a crash when assuming that npmjs.com API would contain the date for a non-existent version of the package. Now the regex requires that the package name be preceded by a space, a quote, or be placed at the very beginning of the line.

v0.4.0

• Introduce a configuration file to control report options. The script will now automatically look for .package-audit.yml within the project directory.
• The report will always state the number of packages that were ignored.
• Introduce a new option --include-ignored to show all packages that are ignored by the configuration file.
• Introduce a --technology option to limit the report to only specific technologies.
• When using custom [DIR] to run the report, using the command "report" is no longer necessary.

v0.3.0

• Add package-audit to $PATH to run without bundle. Now the gem executable will be automatically added to $PATH so that it can be run on its own, without having to prefix it with bundle exec
• Add an optional working directory in place of the default root. Previously, the gem could be run only within the current directory. This is no longer necessary.
• Add support for alternate formats of yarn.lock. When npm install is mistakenly used when a yarn.lock exists, a slightly different type of yarn.lock may be generated, which couldn't be parsed by the previous version of the regex. (@NavneetKaur0111)

v0.2.0

Add automatic detection of Node dependencies using yarn.

All commands now automatically scan for the existence of package.json and yarn.lock and include node modules in the report, if these files are found. package-lock.json is currently not supported.