0.13.0

Release 0.13.0 (released 2026-03-30)

• Add archive (vcs: archive) support for fetching dependencies from .tar.gz, .tgz, .tar.bz2, .tar.xz and .zip files via HTTP, HTTPS or file URLs (#1058)
• Fix path-traversal check using character-based prefix comparison instead of path-component comparison (#1058)
• Fix directory hash being non-deterministic across filesystem traversal orders, causing false local-change detection (#1058)
• Fix dfetch freeze not capturing branch information for SVN projects when only the revision matched (#1058)
• Rename child-manifests to sub-manifests in documentation and code (#1027)
• Fix missing closing quote in unfetched-project diagnostic command example (#1070)
• Fetch git submodules in git subproject at pinned revision (#1013)
• Add nested projects in subprojects to project report (#1017)
• Make dfetch report output more yaml-like (#1017)
• Don't break when importing submodules with space in path (#1017)
• Warn when src: glob pattern matches multiple directories (#1017)
• Introduce new add command with optional interactive mode (-i) (#25)

0.12.1

Release 0.12.1 (released 2026-02-24)

• Fix missing unicode data in standalone binaries (#1014)

0.12.0

Release 0.12.0 (released 2026-02-21)

• Internal refactoring: introduce superproject & subproject (#896)
• Switch from pykwalify to StrictYAML (#922)
• Show line number when manifest validation fails (#36)
• Add Fuzzing (#819)
• Don't allow NULL or control characters in manifest (#114)
• Allow multiple patches in manifest (#897)
• Fallback and warn if patch is not UTF-8 encoded (#941)
• Skip patches outside manifest dir (#942)
• Make patch path in metadata platform independent (#937)
• Fix extra newlines in patch for new files (#945)
• Replace colored-logs and Halo with Rich (#960)
• Respect NO_COLOR <https://no-color.org/>_ (#960)
• Group logging under a project name header (#953)
• Introduce new update-patch command (#614)
• Introduce new format-patch command (#943)
• Drop python 3.9 support (#988)

0.11.0

Release 0.11.0 (released 2026-01-03)

• Support python 3.14
• Drop python 3.7, 3.8 support (#801)
• Don't show animation when running in CI (#702)
• Improve logic for creating Purls in SBoM (#780)
• Add External VCS reference to SBoM if possible (#780)
• Use CycloneDX schema version 1.6 (#542)
• Add security policy (#784)
• Add provenance / release attestation to pypi package (#784)
• Support multiple licenses per project (#788)
• Add evidence to sbom report (#788)
• Let action work outside of dfetch repo (#816)
• Handle SVN tags with special characters (#811)
• Don't return non-zero exit code if tool not found during environment (#701)
• Create standalone binaries for Linux, Mac & Windows (#705)
• Don't make metadata file part of diff (#267)
• Fix unneeded project prefix in SVN diffs (#888)
• Add more tests and documentation for patching (#888)
• Restrict src to string only in schema (#888)
• Don't consider ignored files for determining local changes (#350)
• Avoid waiting for user input in git & svn commands (#570)
• Extend git ssh command to run in BatchMode (#570)
• Use native line breaks in dfetch freeze & dfetch import (#327)

0.10.0

• Support python 3.13
• Fix too strict overlapping path check (#684)
• Show complete URL of child manifests (#683)
• Show remote name when using default remote (#445)
• Select HEAD branch as default in git (#689)

0.9.1

• Fix pypi publishing

0.9.0

• Warn user if the remote does not exist (#185, #171)
• Report unavailable project version during check (#381)
• Don't look for update on random branch if only revision is provided in git (#393)
• Don't report update available if revision on disk matches revision in manifest for git (#393)
• Report the revision available in git if only revision is in git (#393)
• Add ignore list to project entries in the manifest (#571)

0.8.0

• Don't break if no suggestion found (#358)
• Drop python 3.6 support (#386)
• Fix checking project from svn branch (#383)
• Move all configuration into single pyproject.toml (#401)
• Also build for python 3.11, 3.12 in CI
• Add 3.11, 3.12 classifier to pyproject
• When importing non-std SVN external, identify src path

0.7.0

• Warn about local changes during check (#286)
• Add support for Gitlab-CI/Code Climate check reports (#18)
• Improve Sarif/github messages (#292)
• Update to CycloneDX spec 1.4 (#296)
• Never overwrite main project folder and manifest (#302)
• Add codespell and fix typo's (#303)
• Add warning to metadata file, not to change it (#170)
• Fix SBoM report (#337)
• Suggest a correct project name if not found (#320)
• Handle relative urls during dfetch import (#339)

0.6.0

• Pin dependencies
• Recommend child-projects instead of fetching (#242)
• Show spinner when fetching (#264)
• Don't allow path traversal for dst path
• Check for casing issues in dst: path during update (#256)
• Check for overlapping destinations of projects (#173)
• Handle invalid metadata file (#280)
• Update to CycloneDX spec 1.3 (#282)
• Make it possible to generate jenkins and sarif json report for check (#18)