v0.2.89

Compare Source

Changelog

Other

• 4f41128 chore: bump VERSION to 0.2.89
• 123167d build(deps): bump github.com/go-git/go-billy/v5 from 5.6.2 to 5.9.0 (#​6089)

v2.93.0: GitHub CLI 2.93.0

Compare Source

Security

A security vulnerability has been identified, and fixed, that would incorrectly include authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands.

Users are advised to update gh to version v2.93.0 as soon as possible.

For more information see: GHSA-8xvp-7hj6-mcj9

Support agents in gh secret command set

The gh secret command set can now set agent secrets. For more information, see "Configuring secrets and variables for Copilot cloud agent".

What's Changed

✨ Features

• Allow agents as application for secrets by @​tenjaa in #​13421

🐛 Fixes

• fix(pr): remove numberFieldOnly optimization that skips API validation by @​williammartin in #​13327
• Print gh auth refresh for 401 returns by @​333fred in #​13068
• Derive digest algorithm from ref length in release verify commands by @​bdehamer in #​13430

📚 Docs & Chores

• Add missing //go:build integration tag to verify_integration_test.go by @​pdostal in #​13303
• Fix flaky accessible prompter Password test timeout by @​pdostal in #​13304
• Enable extended PR screening for external PRs by @​tidy-dev in #​13312
• Grammar fixes by @​scop in #​13326
• Bump gh copilot telemetry sampling to 100% by @​williammartin in #​13362
• Record accessibility feature state in telemetry by @​williammartin in #​13363
• Poll TTY echo mode instead of sleeping in password tests by @​pdostal in #​13305
• Switch from actions/attest-build-provenance to actions/attest by @​scop in #​13325
• Fix skills acceptance tests by @​williammartin in #​13365
• Bump Go toolchain to 1.26.3 by @​Copilot in #​13367
• Trigger triage check-requirements on ready_for_review by @​BagToad in #​13383
• fix(copilot): hint to run copilot directly when exec fails by @​babakks in #​13393
• Update installation commands for GitHub CLI by @​sassdawe in #​13126
• Update CODEOWNERS for skills directory ownership by @​williammartin in #​13416
• fix(telemetry): prevent tzutil console flash on Windows by @​adehad in #​13353
• Fix bump-go.sh to tolerate missing toolchain directive by @​Copilot in #​12581
• docs: drop --repo gh-cli from dnf install lines by @​c-tonneslan in #​13444
• Remove third-party license debris by @​williammartin in #​13470
• Remove dependency on persistent token by @​williammartin in #​13474
• Remove discussion workflow by @​williammartin in #​13476
• Stop bumping homebrew on release by @​williammartin in #​13479
• build: update golang.org/x/crypto by @​tommaso-moro in #​13486
• Add 3 day dependabot cooldown period by @​williammartin in #​13488
• Run govulncheck daily instead of weekly by @​williammartin in #​13487
• SHA pin first-party GitHub Actions by @​williammartin in #​13491
• Link to Accessibility category for community discussions instead of ACR by @​mxie in #​13481
• docs: fix duplicated "of" in release-process-deep-dive by @​vip892766gma in #​13425
• chore(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 by @​BagToad in #​13510
• docs: note immutable releases starting v2.93.0 by @​BagToad in #​13518
• fix CI attestation integration tests after rename by @​BagToad in #​13536

Dependencies

• chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 by @​dependabot[bot] in #​13297
• chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6 by @​dependabot[bot] in #​13328
• chore(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 by @​dependabot[bot] in #​13381
• chore(deps): bump golang.org/x/term from 0.42.0 to 0.43.0 by @​dependabot[bot] in #​13396
• chore(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 by @​dependabot[bot] in #​13346
• chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @​dependabot[bot] in #​13397
• chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @​dependabot[bot] in #​13420
• chore(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 by @​dependabot[bot] in #​13436
• chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 by @​dependabot[bot] in #​13461
• chore(deps): bump github/codeql-action from 4 to 4.35.5 by @​dependabot[bot] in #​13489
• chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.4.1 to 2.4.2 by @​dependabot[bot] in #​13462
• chore(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 by @​dependabot[bot] in #​13457

New Contributors

• @​pdostal made their first contribution in #​13303
• @​333fred made their first contribution in #​13068
• @​scop made their first contribution in #​13326
• @​sassdawe made their first contribution in #​13126
• @​adehad made their first contribution in #​13353
• @​c-tonneslan made their first contribution in #​13444
• @​tenjaa made their first contribution in #​13421
• @​mxie made their first contribution in #​13481
• @​vip892766gma made their first contribution in #​13425

Full Changelog: cli/cli@v2.92.0...v2.93.0

v0.71.0

Compare Source

⚡ Highlights ⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/10767

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0710-2026-06-01

v0.11.18

Compare Source

Released on 2026-06-01.

Performance

• Fix performance regression in unzip of local wheels (#​19637)

Preview

• Add uv check to run ty from uv (#​19605)

Bug fixes

• Update activation scripts with upstream fixes (#​19628)

Other changes

• Bump MSRV to 1.94 (#​19600)

v0.11.17

Compare Source

Released on 2026-05-28.

Enhancements

• Add a diagnostic for uv add with standard library modules (#​19572)
• Expose uv workspace and its list subcommand in help output (#​19533)
• Improve the "403 forbidden" hint to suggest ignore-error-codes when applicable (#​19521)
• Skip direct URL lock freshness checks while offline (#​19596)
• Add import-names and import-namespaces support to uv-build (PEP 794) (#​19380)
• Add a --no-editable-package flag to various commands (#​19584)
• Infer Python version requests from source trees in uv tool invocations (#​19577)

Preview features

• Add module owners to uv workspace metadata (#​19122)
• Do not allow uv venv --clear to remove non-virtual environments (#​19595)

Bug fixes

• Improve the performance of large entries in tool.uv.conflicts (#​19538)
• Avoid modifying the parent process' env with --env-file in uv run (#​19567)
• Fix script environment creation for scripts with long filenames (#​19539)
• Fix transitive Git archive dependencies in lockfiles (#​19589)
• Preserve Git repository URLs in direct URL metadata (#​19590)
• Support redirects in --check-url (#​19594)
• Accept case-insensitive HTML tags in --find-links parsing (#​19537)
• Reject duplicate script metadata blocks (#​19544)
• Ban names like "python3" as script entry points (#​19535, #​19536)
• Validate Git LFS artifacts for Git archives (#​19592)
• Use a relative path when creating symlinks in cache to improve relocatability (#​19033)

Documentation

• Fix malformed positional anchors in the CLI reference (#​19575)

v0.11.16

Compare Source

Released on 2026-05-21.

Enhancements

• Add support for direct archive dependencies in Git (#​10072)
• Adjust hint rendering (#​18090)

Preview features

• uv audit: specialize malformed OSV error (#​19515)
• Reject locked malware installations (#​18936)

Configuration

• Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG (#​19476)

Bug fixes

• Allow environment variables that take a list to be empty (#​19503)
• Ensure that incompatible wheel hints do not leak secrets (#​19504)
• Reject unsafe entry points in uv-build (#​19495)
• Restrict delimiters in entry point parsing (#​19471)
• uv-netrc: fix multi-word no-space comment lines causing parse errors (#​19494)

Documentation

• Document and test relative exclude-newer support for uv pip (#​19475)

v0.11.15

Compare Source

Released on 2026-05-18.

Security

• Fix a TAR partial differential, see GHSA-3cv2-h65g-fgmm (#​19463)
• Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph (#​19464)

Enhancements

• Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#​18741)
• Add support for Azure request signing (#​19421)
• Apply stricter validation to all wheel filename segments (#​19364)
• Reject empty strings as an invalid package name (#​19435)
• Use structured errors for signing authentication failures (#​19422)

Preview

• uv audit: Add JSON output (#​19305)

Configuration

• Respect required-environments in uv pip compile (#​19378)

Performance

• Avoid parsing JSON manifest when local Python is available (#​19398)
• Avoid walking nested directories in linker conflict registration (#​19382)
• Optimize async wheel ZIP writing (#​19383)
• Fix dead "already trimmed" fast-path in Version::only_release_trimmed (#​19425)

Bug fixes

• Apply workspace-member [tool.uv.sources] credentials under uv sync --frozen (#​19423)
• Skip empty directories in uv build outputs (#​19437)
• Fix Git submodule handling when using relative paths (#​12156)
• Fix line number reporting in netrc parsing (#​19452)

Documentation

• Move Bazel auth helper setup into integration guide (#​19392)