Skip to content

Releases: gooddata/gooddata-goodchanges

Release v0.24.0

08 Jun 11:14
@github-actions github-actions
v0.24.0
dcf7086
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.24.0 Latest
Latest

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.24.0
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.24.0

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.24.0 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.24.0/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.24.0] - 2026-06-08

Added

  • CSS/SCSS taint now bridges into JS imports for the "JS-bundled CSS" pattern (most libs/gdc-*). Previously, a changed SCSS file propagated through cross-library @use chains (e.g. gdc-dashboards-runtime/src/styles/app.scss @uses @gooddata/sdk-ui-dashboard) but the taint lived in a separate __css__: namespace that was only matched against style imports. A consumer that pulls the styles in purely via a JavaScript import — import { Root } from "gdc-dashboards-runtime", where Root.tsx does import "./styles/app.scss" — never matched, so prod-affecting CSS changes failed to trigger app targets like gdc-dashboards. Now, while analysing each library (with INCLUDE_CSS=1), a local style file is treated as tainted if it @uses the styles of a CSS-tainted upstream package; any TS file that side-effect-imports that style file inherits taint on its exported symbols, which then rides the normal TS import graph into JS consumers. The __css__ closure is computed before library analysis (and threaded through the per-package upstream-taint filter) so it is available during seeding. This implements Stage 3 of properly-support-tree-shaken-scss-or-scss-modules.md; package.json sideEffects gating is still to come.

[0.23.0] - 2026-06-07

Removed

  • Breaking: The app field on target definitions in .goodchangesrc.json (the "app-relationship" feature) and its IGNORE_APP_RELATIONSHIP env var are removed. Targets are no longer triggered just because a referenced app is affected — linking e2e targets to applications is the caller's responsibility, done after change detection. While this was helpful to us initially, it was later decided to be outside the scope of the change detector, which should be repository agnostic. It also conflated two distinct questions ("which apps need testing" vs "which e2e libs changed directly"), and forced a second invocation with IGNORE_APP_RELATIONSHIP to surface fine-grained detections the app check would otherwise hide. The app field is now silently ignored if present. Also removed the now-unused analyzer.HasTaintedImports helper.

[0.22.0] - 2026-06-07

Changed

  • LOG_LEVEL=BASIC output is now prefixed with [BASIC] on every line, mirroring the existing [DEBUG] prefix. log.Basicf now prepends [BASIC] and appends the trailing newline itself (matching Debugf), so callers no longer carry their own \n. Output is otherwise unchanged.

[0.21.3] - 2026-06-07

Fixed

  • LOG_LEVEL=BASIC (and the BASIC-gated output under DEBUG) emitted nothing. main set the local flagLog from LOG_LEVEL but only ever assigned log.Debug, never log.Basic, so the package-level Basic flag stayed false and every log.Basicf(...) call was silently swallowed. log.Basic is now set from flagLog, restoring the progress/affected-package logging on stderr while the JSON result stays on stdout.

[0.21.2] - 2026-06-01

Fixed

  • Targets that reference an app (e.g. e2e targets with "app": "gdc-analytical-designer") are now triggered when that app is affected via a changed dependency. When TARGETS was set, the relevant-package set was seeded only from each matched target's own package and its transitive dependencies — but a target's app is a logical relationship, not an npm dependency, so the app and its dependency subtree (e.g. the runtime library whose change is meant to trigger the e2e target) were excluded from analysis, produced no taint, and the app-taint check always came up empty. The seed set now also includes td.App (unless IGNORE_APP_RELATIONSHIP is set), so the app and its dependencies are analyzed and the app-taint check fires.

[0.21.1] - 2026-05-31

Fixed

  • Aliased named imports (import { X as Y }) now propagate taint correctly. The import parser only captured the local binding name (Y) and discarded the original imported name (X), so taint matching — which keys on the name the source module exports — never matched, and propagation stopped at the renamed hop. Imports now carry both names: the source-side name is used to match exported/affected symbols, and the local name is used to scan the importing file's body for usage. This fixes cases like import { Root as InnerRoot } where a change to Root failed to reach the importing file's exports (and therefore its entrypoint and dependent targets).

[0.21.0] - 2026-05-02

Added

  • Top-level type field in .goodchangesrc.json ("library" or "app"). When set, overrides the automatic library-vs-app inference from package.json. Invalid values cause a fatal error at startup.

[0.20.0] - 2026-05-01

Changed

  • LOG_LEVEL=BASIC output now goes to stderr instead of stdout. Stdout is reserved for the JSON result, so piping goodchanges | jq … works with logging enabled.

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed...

Read more
Assets 14

Release v0.23.0

08 Jun 10:11
@github-actions github-actions
v0.23.0
8d2ee12
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.23.0

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.23.0
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.23.0

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.23.0 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.23.0/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.23.0] - 2026-06-07

Removed

  • Breaking: The app field on target definitions in .goodchangesrc.json (the "app-relationship" feature) and its IGNORE_APP_RELATIONSHIP env var are removed. Targets are no longer triggered just because a referenced app is affected — linking e2e targets to applications is the caller's responsibility, done after change detection. While this was helpful to us initially, it was later decided to be outside the scope of the change detector, which should be repository agnostic. It also conflated two distinct questions ("which apps need testing" vs "which e2e libs changed directly"), and forced a second invocation with IGNORE_APP_RELATIONSHIP to surface fine-grained detections the app check would otherwise hide. The app field is now silently ignored if present. Also removed the now-unused analyzer.HasTaintedImports helper.

[0.22.0] - 2026-06-07

Changed

  • LOG_LEVEL=BASIC output is now prefixed with [BASIC] on every line, mirroring the existing [DEBUG] prefix. log.Basicf now prepends [BASIC] and appends the trailing newline itself (matching Debugf), so callers no longer carry their own \n. Output is otherwise unchanged.

[0.21.3] - 2026-06-07

Fixed

  • LOG_LEVEL=BASIC (and the BASIC-gated output under DEBUG) emitted nothing. main set the local flagLog from LOG_LEVEL but only ever assigned log.Debug, never log.Basic, so the package-level Basic flag stayed false and every log.Basicf(...) call was silently swallowed. log.Basic is now set from flagLog, restoring the progress/affected-package logging on stderr while the JSON result stays on stdout.

[0.21.2] - 2026-06-01

Fixed

  • Targets that reference an app (e.g. e2e targets with "app": "gdc-analytical-designer") are now triggered when that app is affected via a changed dependency. When TARGETS was set, the relevant-package set was seeded only from each matched target's own package and its transitive dependencies — but a target's app is a logical relationship, not an npm dependency, so the app and its dependency subtree (e.g. the runtime library whose change is meant to trigger the e2e target) were excluded from analysis, produced no taint, and the app-taint check always came up empty. The seed set now also includes td.App (unless IGNORE_APP_RELATIONSHIP is set), so the app and its dependencies are analyzed and the app-taint check fires.

[0.21.1] - 2026-05-31

Fixed

  • Aliased named imports (import { X as Y }) now propagate taint correctly. The import parser only captured the local binding name (Y) and discarded the original imported name (X), so taint matching — which keys on the name the source module exports — never matched, and propagation stopped at the renamed hop. Imports now carry both names: the source-side name is used to match exported/affected symbols, and the local name is used to scan the importing file's body for usage. This fixes cases like import { Root as InnerRoot } where a change to Root failed to reach the importing file's exports (and therefore its entrypoint and dependent targets).

[0.21.0] - 2026-05-02

Added

  • Top-level type field in .goodchangesrc.json ("library" or "app"). When set, overrides the automatic library-vs-app inference from package.json. Invalid values cause a fatal error at startup.

[0.20.0] - 2026-05-01

Changed

  • LOG_LEVEL=BASIC output now goes to stderr instead of stdout. Stdout is reserved for the JSON result, so piping goodchanges | jq … works with logging enabled.

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, cau...
Read more
Loading

Release v0.22.0

08 Jun 00:34
@github-actions github-actions
v0.22.0
f9b97a3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.22.0

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.22.0
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.22.0

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.22.0 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.22.0/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.22.0] - 2026-06-07

Changed

  • LOG_LEVEL=BASIC output is now prefixed with [BASIC] on every line, mirroring the existing [DEBUG] prefix. log.Basicf now prepends [BASIC] and appends the trailing newline itself (matching Debugf), so callers no longer carry their own \n. Output is otherwise unchanged.

[0.21.3] - 2026-06-07

Fixed

  • LOG_LEVEL=BASIC (and the BASIC-gated output under DEBUG) emitted nothing. main set the local flagLog from LOG_LEVEL but only ever assigned log.Debug, never log.Basic, so the package-level Basic flag stayed false and every log.Basicf(...) call was silently swallowed. log.Basic is now set from flagLog, restoring the progress/affected-package logging on stderr while the JSON result stays on stdout.

[0.21.2] - 2026-06-01

Fixed

  • Targets that reference an app (e.g. e2e targets with "app": "gdc-analytical-designer") are now triggered when that app is affected via a changed dependency. When TARGETS was set, the relevant-package set was seeded only from each matched target's own package and its transitive dependencies — but a target's app is a logical relationship, not an npm dependency, so the app and its dependency subtree (e.g. the runtime library whose change is meant to trigger the e2e target) were excluded from analysis, produced no taint, and the app-taint check always came up empty. The seed set now also includes td.App (unless IGNORE_APP_RELATIONSHIP is set), so the app and its dependencies are analyzed and the app-taint check fires.

[0.21.1] - 2026-05-31

Fixed

  • Aliased named imports (import { X as Y }) now propagate taint correctly. The import parser only captured the local binding name (Y) and discarded the original imported name (X), so taint matching — which keys on the name the source module exports — never matched, and propagation stopped at the renamed hop. Imports now carry both names: the source-side name is used to match exported/affected symbols, and the local name is used to scan the importing file's body for usage. This fixes cases like import { Root as InnerRoot } where a change to Root failed to reach the importing file's exports (and therefore its entrypoint and dependent targets).

[0.21.0] - 2026-05-02

Added

  • Top-level type field in .goodchangesrc.json ("library" or "app"). When set, overrides the automatic library-vs-app inference from package.json. Invalid values cause a fatal error at startup.

[0.20.0] - 2026-05-01

Changed

  • LOG_LEVEL=BASIC output now goes to stderr instead of stdout. Stdout is reserved for the JSON result, so piping goodchanges | jq … works with logging enabled.

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, causing locally declared exported variables (e.g. export const allScenarios = [...]) to be invisible during entrypoint taint checking

[0.15.1] - 2026-02-17

Changed

[0.15.0] - 2026-02-17

Added

  • lockfileVersion change detection: when lockfileVersion changes in a subspace's pnpm-lock.yaml, all projects in that subspace are treated as having all external deps changed, and all library exports are wildcard-tainted. This propagates transitively through the existing dependency graph and taint analysis.
  • ParseLockfileVersion using proper YAML parsing (gopkg.in/yaml.v3) to compare old vs new lockfile versions

[0.14.2] - 2026-02-16

Added

  • Comprehensive debug logging across all analyzer functions: FindAffec...
Read more
Loading

Release v0.21.3

07 Jun 02:17
@github-actions github-actions
v0.21.3
ebb0229
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.21.3

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.21.3
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.21.3

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.21.3 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.21.3/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.21.3] - 2026-06-07

Fixed

  • LOG_LEVEL=BASIC (and the BASIC-gated output under DEBUG) emitted nothing. main set the local flagLog from LOG_LEVEL but only ever assigned log.Debug, never log.Basic, so the package-level Basic flag stayed false and every log.Basicf(...) call was silently swallowed. log.Basic is now set from flagLog, restoring the progress/affected-package logging on stderr while the JSON result stays on stdout.

[0.21.2] - 2026-06-01

Fixed

  • Targets that reference an app (e.g. e2e targets with "app": "gdc-analytical-designer") are now triggered when that app is affected via a changed dependency. When TARGETS was set, the relevant-package set was seeded only from each matched target's own package and its transitive dependencies — but a target's app is a logical relationship, not an npm dependency, so the app and its dependency subtree (e.g. the runtime library whose change is meant to trigger the e2e target) were excluded from analysis, produced no taint, and the app-taint check always came up empty. The seed set now also includes td.App (unless IGNORE_APP_RELATIONSHIP is set), so the app and its dependencies are analyzed and the app-taint check fires.

[0.21.1] - 2026-05-31

Fixed

  • Aliased named imports (import { X as Y }) now propagate taint correctly. The import parser only captured the local binding name (Y) and discarded the original imported name (X), so taint matching — which keys on the name the source module exports — never matched, and propagation stopped at the renamed hop. Imports now carry both names: the source-side name is used to match exported/affected symbols, and the local name is used to scan the importing file's body for usage. This fixes cases like import { Root as InnerRoot } where a change to Root failed to reach the importing file's exports (and therefore its entrypoint and dependent targets).

[0.21.0] - 2026-05-02

Added

  • Top-level type field in .goodchangesrc.json ("library" or "app"). When set, overrides the automatic library-vs-app inference from package.json. Invalid values cause a fatal error at startup.

[0.20.0] - 2026-05-01

Changed

  • LOG_LEVEL=BASIC output now goes to stderr instead of stdout. Stdout is reserved for the JSON result, so piping goodchanges | jq … works with logging enabled.

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, causing locally declared exported variables (e.g. export const allScenarios = [...]) to be invisible during entrypoint taint checking

[0.15.1] - 2026-02-17

Changed

[0.15.0] - 2026-02-17

Added

  • lockfileVersion change detection: when lockfileVersion changes in a subspace's pnpm-lock.yaml, all projects in that subspace are treated as having all external deps changed, and all library exports are wildcard-tainted. This propagates transitively through the existing dependency graph and taint analysis.
  • ParseLockfileVersion using proper YAML parsing (gopkg.in/yaml.v3) to compare old vs new lockfile versions

[0.14.2] - 2026-02-16

Added

  • Comprehensive debug logging across all analyzer functions: FindAffectedFiles, FindEntrypoints, CollectEntrypointExports, HasTaintedImports, HasTaintedImportsForGlob, FindCSSTaintedPackages, and import resolution (resolve.go)

[0.14.1] - 2026-02-16

Changed

Read more
Loading

Release v0.21.2

31 May 23:42
@github-actions github-actions
v0.21.2
36ce4e2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.21.2

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.21.2
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.21.2

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.21.2 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.21.2/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.21.2] - 2026-06-01

Fixed

  • Targets that reference an app (e.g. e2e targets with "app": "gdc-analytical-designer") are now triggered when that app is affected via a changed dependency. When TARGETS was set, the relevant-package set was seeded only from each matched target's own package and its transitive dependencies — but a target's app is a logical relationship, not an npm dependency, so the app and its dependency subtree (e.g. the runtime library whose change is meant to trigger the e2e target) were excluded from analysis, produced no taint, and the app-taint check always came up empty. The seed set now also includes td.App (unless IGNORE_APP_RELATIONSHIP is set), so the app and its dependencies are analyzed and the app-taint check fires.

[0.21.1] - 2026-05-31

Fixed

  • Aliased named imports (import { X as Y }) now propagate taint correctly. The import parser only captured the local binding name (Y) and discarded the original imported name (X), so taint matching — which keys on the name the source module exports — never matched, and propagation stopped at the renamed hop. Imports now carry both names: the source-side name is used to match exported/affected symbols, and the local name is used to scan the importing file's body for usage. This fixes cases like import { Root as InnerRoot } where a change to Root failed to reach the importing file's exports (and therefore its entrypoint and dependent targets).

[0.21.0] - 2026-05-02

Added

  • Top-level type field in .goodchangesrc.json ("library" or "app"). When set, overrides the automatic library-vs-app inference from package.json. Invalid values cause a fatal error at startup.

[0.20.0] - 2026-05-01

Changed

  • LOG_LEVEL=BASIC output now goes to stderr instead of stdout. Stdout is reserved for the JSON result, so piping goodchanges | jq … works with logging enabled.

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, causing locally declared exported variables (e.g. export const allScenarios = [...]) to be invisible during entrypoint taint checking

[0.15.1] - 2026-02-17

Changed

[0.15.0] - 2026-02-17

Added

  • lockfileVersion change detection: when lockfileVersion changes in a subspace's pnpm-lock.yaml, all projects in that subspace are treated as having all external deps changed, and all library exports are wildcard-tainted. This propagates transitively through the existing dependency graph and taint analysis.
  • ParseLockfileVersion using proper YAML parsing (gopkg.in/yaml.v3) to compare old vs new lockfile versions

[0.14.2] - 2026-02-16

Added

  • Comprehensive debug logging across all analyzer functions: FindAffectedFiles, FindEntrypoints, CollectEntrypointExports, HasTaintedImports, HasTaintedImportsForGlob, FindCSSTaintedPackages, and import resolution (resolve.go)

[0.14.1] - 2026-02-16

Changed

[0.14.0] - 2026-02-14

Added

  • JSON import taint propagation: changed .json files now taint TS/JS files that import them, with symbol-level granularity based on usage of the imported binding

[0.13.0] - 2026-02-14

Added

  • Per-target ignores field in target definitions. Per-target ignores are additive with the global ignores and only apply to the specific target's detection.

[0.12.0] - 2026-02-14

Changed

  • **Breaki...
Read more
Loading

Release v0.21.1

31 May 20:50
@github-actions github-actions
v0.21.1
013f856
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.21.1

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.21.1
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.21.1

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.21.1 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.21.1/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.21.1] - 2026-05-31

Fixed

  • Aliased named imports (import { X as Y }) now propagate taint correctly. The import parser only captured the local binding name (Y) and discarded the original imported name (X), so taint matching — which keys on the name the source module exports — never matched, and propagation stopped at the renamed hop. Imports now carry both names: the source-side name is used to match exported/affected symbols, and the local name is used to scan the importing file's body for usage. This fixes cases like import { Root as InnerRoot } where a change to Root failed to reach the importing file's exports (and therefore its entrypoint and dependent targets).

[0.21.0] - 2026-05-02

Added

  • Top-level type field in .goodchangesrc.json ("library" or "app"). When set, overrides the automatic library-vs-app inference from package.json. Invalid values cause a fatal error at startup.

[0.20.0] - 2026-05-01

Changed

  • LOG_LEVEL=BASIC output now goes to stderr instead of stdout. Stdout is reserved for the JSON result, so piping goodchanges | jq … works with logging enabled.

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, causing locally declared exported variables (e.g. export const allScenarios = [...]) to be invisible during entrypoint taint checking

[0.15.1] - 2026-02-17

Changed

[0.15.0] - 2026-02-17

Added

  • lockfileVersion change detection: when lockfileVersion changes in a subspace's pnpm-lock.yaml, all projects in that subspace are treated as having all external deps changed, and all library exports are wildcard-tainted. This propagates transitively through the existing dependency graph and taint analysis.
  • ParseLockfileVersion using proper YAML parsing (gopkg.in/yaml.v3) to compare old vs new lockfile versions

[0.14.2] - 2026-02-16

Added

  • Comprehensive debug logging across all analyzer functions: FindAffectedFiles, FindEntrypoints, CollectEntrypointExports, HasTaintedImports, HasTaintedImportsForGlob, FindCSSTaintedPackages, and import resolution (resolve.go)

[0.14.1] - 2026-02-16

Changed

[0.14.0] - 2026-02-14

Added

  • JSON import taint propagation: changed .json files now taint TS/JS files that import them, with symbol-level granularity based on usage of the imported binding

[0.13.0] - 2026-02-14

Added

  • Per-target ignores field in target definitions. Per-target ignores are additive with the global ignores and only apply to the specific target's detection.

[0.12.0] - 2026-02-14

Changed

  • Breaking: .goodchangesrc.json now uses a targets array instead of a single top-level target definition. Each entry in targets is a target object with type, app, targetName, and changeDirs. The ignores field remains at the top level (shared across all targets).

[0.11.2] - 2026-02-14

Fixed

  • Fine-grained detection now seeds taint from changed CSS/SCSS files within the project (with CSS module granularity for *.module.scss/*.module.css)

[0.11.1] - 2026-02-14

Changed

  • Fine-grained detection now uses symbol-level taint propagation matching library analysis: AST diffs identify changed symbols, import graph tracks name mappings, BFS only propagates to importers of actually changed symbols, with intra-file and re-export handling

[0.11...

Read more
Loading

Release v0.21.0

02 May 08:45
@github-actions github-actions
v0.21.0
0e8eb07
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.21.0

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.21.0
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.21.0

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.21.0 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.21.0/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.21.0] - 2026-05-02

Added

  • Top-level type field in .goodchangesrc.json ("library" or "app"). When set, overrides the automatic library-vs-app inference from package.json. Invalid values cause a fatal error at startup.

[0.20.0] - 2026-05-01

Changed

  • LOG_LEVEL=BASIC output now goes to stderr instead of stdout. Stdout is reserved for the JSON result, so piping goodchanges | jq … works with logging enabled.

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, causing locally declared exported variables (e.g. export const allScenarios = [...]) to be invisible during entrypoint taint checking

[0.15.1] - 2026-02-17

Changed

[0.15.0] - 2026-02-17

Added

  • lockfileVersion change detection: when lockfileVersion changes in a subspace's pnpm-lock.yaml, all projects in that subspace are treated as having all external deps changed, and all library exports are wildcard-tainted. This propagates transitively through the existing dependency graph and taint analysis.
  • ParseLockfileVersion using proper YAML parsing (gopkg.in/yaml.v3) to compare old vs new lockfile versions

[0.14.2] - 2026-02-16

Added

  • Comprehensive debug logging across all analyzer functions: FindAffectedFiles, FindEntrypoints, CollectEntrypointExports, HasTaintedImports, HasTaintedImportsForGlob, FindCSSTaintedPackages, and import resolution (resolve.go)

[0.14.1] - 2026-02-16

Changed

[0.14.0] - 2026-02-14

Added

  • JSON import taint propagation: changed .json files now taint TS/JS files that import them, with symbol-level granularity based on usage of the imported binding

[0.13.0] - 2026-02-14

Added

  • Per-target ignores field in target definitions. Per-target ignores are additive with the global ignores and only apply to the specific target's detection.

[0.12.0] - 2026-02-14

Changed

  • Breaking: .goodchangesrc.json now uses a targets array instead of a single top-level target definition. Each entry in targets is a target object with type, app, targetName, and changeDirs. The ignores field remains at the top level (shared across all targets).

[0.11.2] - 2026-02-14

Fixed

  • Fine-grained detection now seeds taint from changed CSS/SCSS files within the project (with CSS module granularity for *.module.scss/*.module.css)

[0.11.1] - 2026-02-14

Changed

  • Fine-grained detection now uses symbol-level taint propagation matching library analysis: AST diffs identify changed symbols, import graph tracks name mappings, BFS only propagates to importers of actually changed symbols, with intra-file and re-export handling

[0.11.0] - 2026-02-14

Added

  • -v / --version flag prints the embedded version from the VERSION file

[0.10.0] - 2026-02-14

Added

  • Fine-grained changeDirs entries now support an optional filter field to narrow output results (e.g. {"glob": "src/**/*", "filter": "src/**/*.test.ts", "type": "fine-grained"} analyzes all files but only returns affected test files)

[0.9.5] - 2026-02-14

Changed

  • Fine-grained changeDirs now AST-diff changed files against the merge base; whitespace-only or comment-only changes no longer cascade through importers

[0.9.4] - 2026-02-14

Fixed

  • Fine-grained BFS propagation now follows re-exports (export { X } from "./foo", `ex...
Read more
Loading

Release v0.20.0

01 May 13:50
@github-actions github-actions
v0.20.0
0f923aa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.20.0

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.20.0
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.20.0

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.20.0 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.20.0/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.20.0] - 2026-05-01

Changed

  • LOG_LEVEL=BASIC output now goes to stderr instead of stdout. Stdout is reserved for the JSON result, so piping goodchanges | jq … works with logging enabled.

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, causing locally declared exported variables (e.g. export const allScenarios = [...]) to be invisible during entrypoint taint checking

[0.15.1] - 2026-02-17

Changed

[0.15.0] - 2026-02-17

Added

  • lockfileVersion change detection: when lockfileVersion changes in a subspace's pnpm-lock.yaml, all projects in that subspace are treated as having all external deps changed, and all library exports are wildcard-tainted. This propagates transitively through the existing dependency graph and taint analysis.
  • ParseLockfileVersion using proper YAML parsing (gopkg.in/yaml.v3) to compare old vs new lockfile versions

[0.14.2] - 2026-02-16

Added

  • Comprehensive debug logging across all analyzer functions: FindAffectedFiles, FindEntrypoints, CollectEntrypointExports, HasTaintedImports, HasTaintedImportsForGlob, FindCSSTaintedPackages, and import resolution (resolve.go)

[0.14.1] - 2026-02-16

Changed

[0.14.0] - 2026-02-14

Added

  • JSON import taint propagation: changed .json files now taint TS/JS files that import them, with symbol-level granularity based on usage of the imported binding

[0.13.0] - 2026-02-14

Added

  • Per-target ignores field in target definitions. Per-target ignores are additive with the global ignores and only apply to the specific target's detection.

[0.12.0] - 2026-02-14

Changed

  • Breaking: .goodchangesrc.json now uses a targets array instead of a single top-level target definition. Each entry in targets is a target object with type, app, targetName, and changeDirs. The ignores field remains at the top level (shared across all targets).

[0.11.2] - 2026-02-14

Fixed

  • Fine-grained detection now seeds taint from changed CSS/SCSS files within the project (with CSS module granularity for *.module.scss/*.module.css)

[0.11.1] - 2026-02-14

Changed

  • Fine-grained detection now uses symbol-level taint propagation matching library analysis: AST diffs identify changed symbols, import graph tracks name mappings, BFS only propagates to importers of actually changed symbols, with intra-file and re-export handling

[0.11.0] - 2026-02-14

Added

  • -v / --version flag prints the embedded version from the VERSION file

[0.10.0] - 2026-02-14

Added

  • Fine-grained changeDirs entries now support an optional filter field to narrow output results (e.g. {"glob": "src/**/*", "filter": "src/**/*.test.ts", "type": "fine-grained"} analyzes all files but only returns affected test files)

[0.9.5] - 2026-02-14

Changed

  • Fine-grained changeDirs now AST-diff changed files against the merge base; whitespace-only or comment-only changes no longer cascade through importers

[0.9.4] - 2026-02-14

Fixed

  • Fine-grained BFS propagation now follows re-exports (export { X } from "./foo", export * from "./foo") so barrel files no longer break the chain

[0.9.3] - 2026-02-14

Fixed

  • Fine-grained changeDirs now detect lockfile dependency changes (pnpm-lock.yaml upgrades taint files importing the affected external dep)...
Read more
Loading

Release v0.19.4

01 May 13:28
@github-actions github-actions
v0.19.4
75ac258
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.19.4

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.19.4
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.19.4

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.19.4 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.19.4/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.19.4] - 2026-04-29

Changed

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, causing locally declared exported variables (e.g. export const allScenarios = [...]) to be invisible during entrypoint taint checking

[0.15.1] - 2026-02-17

Changed

[0.15.0] - 2026-02-17

Added

  • lockfileVersion change detection: when lockfileVersion changes in a subspace's pnpm-lock.yaml, all projects in that subspace are treated as having all external deps changed, and all library exports are wildcard-tainted. This propagates transitively through the existing dependency graph and taint analysis.
  • ParseLockfileVersion using proper YAML parsing (gopkg.in/yaml.v3) to compare old vs new lockfile versions

[0.14.2] - 2026-02-16

Added

  • Comprehensive debug logging across all analyzer functions: FindAffectedFiles, FindEntrypoints, CollectEntrypointExports, HasTaintedImports, HasTaintedImportsForGlob, FindCSSTaintedPackages, and import resolution (resolve.go)

[0.14.1] - 2026-02-16

Changed

[0.14.0] - 2026-02-14

Added

  • JSON import taint propagation: changed .json files now taint TS/JS files that import them, with symbol-level granularity based on usage of the imported binding

[0.13.0] - 2026-02-14

Added

  • Per-target ignores field in target definitions. Per-target ignores are additive with the global ignores and only apply to the specific target's detection.

[0.12.0] - 2026-02-14

Changed

  • Breaking: .goodchangesrc.json now uses a targets array instead of a single top-level target definition. Each entry in targets is a target object with type, app, targetName, and changeDirs. The ignores field remains at the top level (shared across all targets).

[0.11.2] - 2026-02-14

Fixed

  • Fine-grained detection now seeds taint from changed CSS/SCSS files within the project (with CSS module granularity for *.module.scss/*.module.css)

[0.11.1] - 2026-02-14

Changed

  • Fine-grained detection now uses symbol-level taint propagation matching library analysis: AST diffs identify changed symbols, import graph tracks name mappings, BFS only propagates to importers of actually changed symbols, with intra-file and re-export handling

[0.11.0] - 2026-02-14

Added

  • -v / --version flag prints the embedded version from the VERSION file

[0.10.0] - 2026-02-14

Added

  • Fine-grained changeDirs entries now support an optional filter field to narrow output results (e.g. {"glob": "src/**/*", "filter": "src/**/*.test.ts", "type": "fine-grained"} analyzes all files but only returns affected test files)

[0.9.5] - 2026-02-14

Changed

  • Fine-grained changeDirs now AST-diff changed files against the merge base; whitespace-only or comment-only changes no longer cascade through importers

[0.9.4] - 2026-02-14

Fixed

  • Fine-grained BFS propagation now follows re-exports (export { X } from "./foo", export * from "./foo") so barrel files no longer break the chain

[0.9.3] - 2026-02-14

Fixed

  • Fine-grained changeDirs now detect lockfile dependency changes (pnpm-lock.yaml upgrades taint files importing the affected external dep)

[0.9.2] - 2026-02-14

Changed

  • CSS module imports (*.module.scss/*.module.css) with named bindings now use granular taint: only symbols that reference the imported binding are tainted, inst...
Read more
Loading

Release v0.19.3

28 Apr 15:09
@github-actions github-actions
v0.19.3
bbe446c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release v0.19.3

Docker Image

The Docker image for this release has been published to DockerHub:

Repository: gooddata/gooddata-goodchanges

Tags:

  • gooddata/gooddata-goodchanges:0.19.3
  • gooddata/gooddata-goodchanges:latest

Pull Commands

# Pull specific version
docker pull gooddata/gooddata-goodchanges:0.19.3

# Pull latest
docker pull gooddata/gooddata-goodchanges:latest

Run Command

docker run --rm gooddata/gooddata-goodchanges:0.19.3 [command]

Standalone Binaries

Download the binary for your platform from the assets below.

Platform Architecture Asset
Linux x86_64 goodchanges-linux-amd64.tar.gz
Linux ARM64 goodchanges-linux-arm64.tar.gz
macOS Intel goodchanges-darwin-amd64.tar.gz
macOS Apple Silicon goodchanges-darwin-arm64.tar.gz
Windows x86_64 goodchanges-windows-amd64.zip
Windows ARM64 goodchanges-windows-arm64.zip
All platforms
  • goodchanges-darwin-amd64.tar.gz
  • goodchanges-darwin-amd64.tar.gz.sha256
  • goodchanges-darwin-arm64.tar.gz
  • goodchanges-darwin-arm64.tar.gz.sha256
  • goodchanges-linux-amd64.tar.gz
  • goodchanges-linux-amd64.tar.gz.sha256
  • goodchanges-linux-arm64.tar.gz
  • goodchanges-linux-arm64.tar.gz.sha256
  • goodchanges-windows-amd64.zip
  • goodchanges-windows-amd64.zip.sha256
  • goodchanges-windows-arm64.zip
  • goodchanges-windows-arm64.zip.sha256

Install (Linux/macOS)

# Example: download and install linux/amd64
curl -sL https://github.com/gooddata/gooddata-goodchanges/releases/download/v0.19.3/goodchanges-linux-amd64.tar.gz | tar xz
chmod +x goodchanges-linux-amd64
sudo mv goodchanges-linux-amd64 /usr/local/bin/goodchanges

Changelog

[0.19.3] - 2026-04-28

Changed

[0.19.2] - 2026-04-24

Fixed

  • Bare dynamic import("pkg") calls (e.g. () => import("pkg") passed to a loader, or const mod = await import("pkg") used opaquely without property access) are now recorded as side-effect imports, so taint on the target package propagates to the importing file. Previously only the three pattern forms (var+property-access, destructure, .then callback) produced an Import record, leaving bare calls invisible to taint propagation.

[0.19.1] - 2026-04-23

Fixed

  • Global changeDirs taint now enumerates every export from each entrypoint (including recursively via export * from "./local") instead of seeding a "*" wildcard. Downstream packages consume exports by exact name, so the wildcard never matched named imports — taint stopped at the first hop and targets transitively dependent on the tainted library were missed.

[0.19.0] - 2026-04-20

Added

  • IGNORE_APP_RELATIONSHIP env var. When set, the app field in target configs is ignored — targets are no longer triggered just because their corresponding app is tainted (only direct changes, lockfile changes, and tainted workspace imports apply).

[0.18.1] - 2026-04-13

Changed

[0.18.0] - 2026-04-10

Added

  • Global changeDirs field in .goodchangesrc.json (top-level, next to ignores). Matching files taint all exports (libraries) and trigger all targets in the package.

[0.17.1] - 2026-04-10

Fixed

  • Detect runtime side-effect statements (e.g. console.log()) in entrypoint/barrel files as affecting all exports — previously these were misclassified as "comments/imports only" and seeded zero taint

[0.17.0] - 2026-04-04

Changed

  • Breaking: Lockfile dep change detection now parses old and new pnpm-lock.yaml as YAML (gopkg.in/yaml.v3) instead of diffing text lines. Compares resolved versions for direct deps per importer, and BFS-walks the snapshots section to detect transitive dep version changes — a transitive change taints the direct dep that pulled it in.

[0.16.7] - 2026-04-04

Changed

[0.16.6] - 2026-04-04

Changed

[0.16.5] - 2026-04-04

Changed

[0.16.4] - 2026-04-04

Changed

[0.16.3] - 2026-04-04

Changed

[0.16.2] - 2026-04-04

Changed

[0.16.1] - 2026-04-04

Changed

[0.16.0] - 2026-04-04

Changed

  • Breaking: Merged target and virtual-target types into a unified target definition. The type field is removed. All targets now support app, targetName, changeDirs, lockfile detection, and fine-grained mode. targetName defaults to the package name when not set. changeDirs defaults to **/* when not set.

[0.15.3] - 2026-02-23

Fixed

  • Add intra-file taint propagation after seeding phase in both AnalyzeLibraryPackage and FindAffectedFiles, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

[0.15.2] - 2026-02-20

Fixed

  • Fix export const/export let declarations not being added to the exports list in the TS parser, causing locally declared exported variables (e.g. export const allScenarios = [...]) to be invisible during entrypoint taint checking

[0.15.1] - 2026-02-17

Changed

[0.15.0] - 2026-02-17

Added

  • lockfileVersion change detection: when lockfileVersion changes in a subspace's pnpm-lock.yaml, all projects in that subspace are treated as having all external deps changed, and all library exports are wildcard-tainted. This propagates transitively through the existing dependency graph and taint analysis.
  • ParseLockfileVersion using proper YAML parsing (gopkg.in/yaml.v3) to compare old vs new lockfile versions

[0.14.2] - 2026-02-16

Added

  • Comprehensive debug logging across all analyzer functions: FindAffectedFiles, FindEntrypoints, CollectEntrypointExports, HasTaintedImports, HasTaintedImportsForGlob, FindCSSTaintedPackages, and import resolution (resolve.go)

[0.14.1] - 2026-02-16

Changed

[0.14.0] - 2026-02-14

Added

  • JSON import taint propagation: changed .json files now taint TS/JS files that import them, with symbol-level granularity based on usage of the imported binding

[0.13.0] - 2026-02-14

Added

  • Per-target ignores field in target definitions. Per-target ignores are additive with the global ignores and only apply to the specific target's detection.

[0.12.0] - 2026-02-14

Changed

  • Breaking: .goodchangesrc.json now uses a targets array instead of a single top-level target definition. Each entry in targets is a target object with type, app, targetName, and changeDirs. The ignores field remains at the top level (shared across all targets).

[0.11.2] - 2026-02-14

Fixed

  • Fine-grained detection now seeds taint from changed CSS/SCSS files within the project (with CSS module granularity for *.module.scss/*.module.css)

[0.11.1] - 2026-02-14

Changed

  • Fine-grained detection now uses symbol-level taint propagation matching library analysis: AST diffs identify changed symbols, import graph tracks name mappings, BFS only propagates to importers of actually changed symbols, with intra-file and re-export handling

[0.11.0] - 2026-02-14

Added

  • -v / --version flag prints the embedded version from the VERSION file

[0.10.0] - 2026-02-14

Added

  • Fine-grained changeDirs entries now support an optional filter field to narrow output results (e.g. {"glob": "src/**/*", "filter": "src/**/*.test.ts", "type": "fine-grained"} analyzes all files but only returns affected test files)

[0.9.5] - 2026-02-14

Changed

  • Fine-grained changeDirs now AST-diff changed files against the merge base; whitespace-only or comment-only changes no longer cascade through importers

[0.9.4] - 2026-02-14

Fixed

  • Fine-grained BFS propagation now follows re-exports (export { X } from "./foo", export * from "./foo") so barrel files no longer break the chain

[0.9.3] - 2026-02-14

Fixed

  • Fine-grained changeDirs now detect lockfile dependency changes (pnpm-lock.yaml upgrades taint files importing the affected external dep)

[0.9.2] - 2026-02-14

Changed

  • CSS module imports (*.module.scss/*.module.css) with named bindings now use granular taint: only symbols that reference the imported binding are tainted, instead of all exports in the file

[0.9.1] - 2026-02-14

Fixed

  • Changed CSS/SCSS files within a library now taint TS files that relatively import them (e.g. `import "./styles.scss...
Read more
Loading