What's Changed
- fix: correct build summary counts for packages built after verification failure by @leodido in #295
- feat: add OpenTelemetry tracing with build and package spans by @corneliusludmann in #288
- fix: OCI extraction and SBOM export mode detection by @leodido in #296
- fix: skip vulnerability scanning for packages that failed to build by @leodido in #299
- feat: optimize S3 cache performance with batch operations and increased workers by @leodido in #278
- feat: implement dependency-aware download scheduling by @leodido in #279
- fix(yarn): add
--frozen-lockfileto default install command by @leodido in #301 - docs: add security note about ignore-scripts for yarn packages by @leodido in #302
- fix: validate dependencies after download to prevent cache inconsistency by @leodido in #300
- fix(yarn): patch yarn.lock for link: dependencies and fix extraction path by @leodido in #303
- Fix typos in comments, docs, and tests by @leodido in #304
- fix!: correct typo in vet check name by @leodido in #305
- fix(cache): require dependencies in local cache for cached packages by @leodido in #306
- perf(cache): return detailed download results for smarter cache decisions by @leodido in #307
- perf(cache): add environment variables for S3 cache tuning by @leodido in #308
- fix: make
GetTransitiveDependenciesreturn deterministic order by @leodido in #309 - fix: add
--sort=nameto tar command for deterministic archives by @leodido in #310 - feat: store SBOM files outside tar.gz artifacts by @leodido in #311
- fix: add -trimpath to default Go build command by @leodido in #312
- fix: skip packages without SBOM during vulnerability scanning by @leodido in #313
- fix: resolve builtin variables in PackageInternal (prep, env) by @leodido in #314
- fix: upload (external) SBOM files alongside artifacts by @leodido in #315
Full Changelog: v0.15.0...v0.16.0
Contributors
leodido and corneliusludmann