v0.1.0

Changelog

• 84e98d2 --frozen fails fast before any network
• dc4ef88 Add alias "install" to sync command
• 77478e9 Benchmarks for hot paths + make bench
• cd33dca Cache Sigstore TUF root locally
• d30fd07 Constraint resolution and lock-is-sticky
• 98aea98 GitHub forge artifact attestations
• 3ee411f GitHub forge sources, purl-driven dispatch
• 062bf17 Hello world
• db8645f Manifest trust: block
• e8b8c8f Manifest, integrity, and lockfile-as-CycloneDX
• 9ca3a1b Module format sniffing
• 0148fad README
• 43d181d README: cover v0.2 features and the full command set
• 6902403 Record jsdelivr URL in lockfile externalReferences
• 383677c Remove Homebrew Cask configuration for the pin project
• b33d931 Remove examples folder
• 1afd959 SPEC.md: normative pin.lock schema
• edb3337 Security audit pass + SECURITY.md
• aaf6e67 THREAT_MODEL.md: structured adversary-by-asset model
• 57f4cb8 Update readme
• c7b34bf User-Agent, strip_sourcemap, --strip-pin: three small wins from M1-M13
• d351cc0 assets runtime helper
• 6dbc2ce bump sigstore-go transitives to clear govulncheck
• af1dc0b dep-baseline: pin GOOS=linux + LC_ALL=C for reproducibility
• 80ecc56 doc comments on the 17 missing exported identifiers in the pin root
• b96b5df docs trope pass + move SECURITY into docs/
• b2d8177 drop pre-tag version references
• 4c2976d drop unused manifest.Trust.TrustedIssuers field
• fc62350 errgroup-bounded parallel resolve in Sync
• 047152c examples/ + library API docs
• ca36de8 fuzz tests for the three parsers that take untrusted bytes
• f352945 fuzz: manifest.AddEntry / RemoveEntry — surfaced three real bugs
• 2f32feb fuzz: safeOut path-traversal final check
• 537bba9 fuzz: sniff.Format, integrity.ParseSRI, npm.IsSticky, npm.findSignature
• c846920 gitattributes: force LF on text files so Windows golden tests pass
• f7e2d08 goreleaser config and release workflow
• a734b6e internal/safehttp: SSRF dial gate + redirect bounds
• dd61a6e lock.Write: drop the canonicalize round-trip; add Sync + Verify benchmarks
• dc32c79 normaliseRepoURL strips github subpath segments
• 7cb88e1 npm dist.signatures verification
• 8232711 npm source: registry-anchored resolution
• bd59bc7 outdated: license_change column, unmaintained signal; update tests
• a1edb5b outdated: skip non-npm sources cleanly
• 2edf421 parallelise per-entry network within each source resolver
• 83cbd37 pin add
• d34786b pin init, rm, list, path
• 494430b pin outdated
• 834881f pin sbom
• 74ac76e pin sync --no-fetch: cheap post-checkout assertion for CI
• a11e9f2 pin sync end-to-end
• 6dd85b8 pin update
• 585124e pin verify
• b5099f9 pin.Client: shared state + RegisterResolver plug-in surface
• 4dfb738 plug-in dispatch routes Resolve through c.resolvers
• 2385134 pre-tag cleanup: lift modules, adopt upstreams, plumb safety nets
• 243b309 rename lock.Asset.SourceRepository to lock.Asset.Repository
• b328ba5 rename npm.normalizeRepoURL to canonicalRepoURL
• 76c553a rename source/sigstoreverifier to source/sigstore
• c992a0c scripts/generate-{man,docs}: cobra → man pages + markdown reference
• 495aa6d ship-blockers: parallel-add test, golden lockfile, CI goreleaser check, Homebrew cask block
• c3e68cd sniff: handle minified ESM with no space after export/import
• c5598c7 sniff: scan head + tail, tolerate trailing CJS shim
• cbe5ea4 source.ProvenanceVerifier interface; forge --verify-provenance
• 82f3938 source/attestation: shared SLSA bundle parser, zero pin coupling
• a5c7bb2 split sync.go: trust.go + resolve.go
• a4f0908 sync polish: prune empty dirs, skip identical lockfile write, --json
• 61d070b test coverage: cli integration + pin root gaps + npm.Status
• 3b0b82e typed sentinel errors for failure-mode dispatch
• 14079fa url: source support (TOFU integrity)
• 466cb79 v0.2: CI nudge + provenance-downgrade detection in outdated
• d2e8eba v0.2: cryptographic sigstore bundle verification
• 418b61f v0.2: min_release_age cooldown
• dc2f532 v0.2: provenance recording
• 91d19c3 v0.2: publisher-matches-repository check
• 710e609 verify --strict re-derives npm hashes from the tarball