72.3.0

What's Changed

🐞 Bug Fixes

• db2bb19 Maven: Handle automatically wrapped p2 dependencies

🎉 New Features

• 65dbe30 license-fact-providers: Run the license export as a fallback
• 376cb0a yarn2: Disable the execution of postinstall scripts
• 483215f yarn2: Enforce using the "node-modules" node linker

🔧 Chores

• 5b452f3 license-fact-providers: Put an extension property before a function
• 4a92dda license-fact-providers: Use a bit more compact fallback code

🚀 Dependency Updates

• 1b60462 update jetbrains/qodana-action action to v2025.2.3

🚜 Refactorings

• 207f9bd license-fact-providers: Extract getting the license text dir
• 1bc5d1d yarn2: Do not set the node linker for yarn info

72.2.0

What's Changed

🐞 Bug Fixes

• 87ed958 analyzer: Do not fail on paths with unmappable characters
• 5009713 downloader: Copy non-archive artifacts to the output directory
• 3544eeb renovate: Fix configuration for JRuby

🎉 New Features

• da06426 commands: Support checking the syntax of repository config files
• a6c5282 docker: Set the ANDROID_SDK_ROOT environment variable

✅ Tests

• 16fe9c5 evaluated-model: Extract a result variable
• 6c570e3 evaluated-model: Read the input only once
• b5f0f24 python: Update expected results
• df3e954 python: Update expected results
• 350401c vulnerable-code: Add IntelliJ HTTP Client files

🐘 Build & ⚙️ CI

• c7920ed flox: Add composite envionments with external tools
• 7011d80 flox: Reorganize Flox environments
• a2752f6 release: Fix setting the Sonatype connect timeout
• d39d95d renovate: Add a job to validate the Renovate config file

📖 Documentation

• fcc21dd NOTICE: Add a section for Individual Copyright Holders
• 2ae22c9 NOTICE: Omit end years from ranges
• 17fc956 common-utils: Remove an unnecessary comment
• 53df893 node: Explain why a property needs to be internal
• 60316b7 Do not conflate Copyright Holders with Authors
• 39c0f32 Omit Copyright end years from ranges in source code

🔧 Chores

• ae5142f common-utils: Generalize the name of a variable
• 92e13c2 downloader: Only log about unpacking if something was unpacked
• 9748e62 mailmap: Use Frank's gmail address

🚀 Dependency Updates

• ce89925 Configure renovate for JRuby
• 7b04d01 Downgrade the JRuby version
• a49fd20 update actions/checkout digest to 8e8c483
• fe0ad93 update actions/setup-java digest to f2beeb2
• 0dfd253 update actions/setup-node digest to 395ad32
• d450587 update aws-java-sdk-v2 monorepo
• 08e631b update aws-java-sdk-v2 monorepo to v2.40.1
• 5b0be2f update com.github.gmazzo.buildconfig to v6.0.6
• 00b61c5 update dependency @easyops-cn/docusaurus-search-local to v0.52.2
• 45a2edd update docker/metadata-action digest to c299e40
• 3383f57 update github/codeql-action digest to fe4161a
• 7d051a6 update graalvm/setup-graalvm digest to 790e289
• 93c2922 update jgit to v7.5.0.202512021534-r
• ccbccc5 update kotest to v6.0.7
• 29abf45 update software.amazon.awssdk:s3 to v2.40.0

🚜 Refactorings

• 3208c3c node: Extract "node_modules" to a constant
• 5f66a7f node: Rework stashing of directories and files

💡 Other Changes

• 2a9f2b0 style(downloader): Unwrap some logger lines for compactness

72.1.0

What's Changed

🐞 Bug Fixes

• ff7d14a schema: Add labels to curations schema
• 57f8bab schema: Add source_code_origins to curations schema
• f8e425c yarn2: Ignore any not installed modules

🎉 New Features

• 5660fe7 common-utils: Make the directory stash also work for files
• afb0fd2 node: Allow project-specific .npmrc files to be ignored

✅ Tests

• 956711c common-utils: Give some test variables more speaking names
• f64a53c common-utils: Make a few directory assertions more strict
• db9e95a common-utils: Stash directories with actual files inside

🔧 Chores

• c53d534 common-utils: Add convenience code to stash files
• abd97bb common-utils: Avoid a suppression by re-ordering code
• f2f95f0 node: Log about project-specific .npmrc files
• c8f2892 yarn2: Remove an unused variable

🚜 Refactorings

• f8d1f95 yarn2: Move the parsing of package.json to Yarn2

72.0.1

What's Changed

🐞 Bug Fixes

• 1c3182e node: Add special handling to parse npm login error messages
• 96dd7e0 yarn2: Make isProject() handle virtual workspace packages

📖 Documentation

• a157d07 README: Clarify the difference between running Docker images
• c6a83ee cli: Improve the documentation of ort analyze -i
• e040df8 spdx: Fix a typo in a parameter name reference
• b18fe97 Correctly say that by now Java 21 is required

🔧 Chores

• 5eb4b58 yarn2: Turn isProject() into a val

🚀 Dependency Updates

• 147b48a update aws-java-sdk-v2 monorepo to v2.39.5
• d7a40dd update com.autonomousapps:dependency-analysis-gradle-plugin to v3.5.1
• 0e045b4 update com.github.gmazzo.buildconfig to v6.0.1
• 9894c9d update com.github.gmazzo.buildconfig to v6.0.2
• 879dd15 update com.github.gmazzo.buildconfig to v6.0.5
• 110da7a update com.github.jmongard.git-semver-plugin to v0.17.0
• 3e83da1 update com.github.jmongard.git-semver-plugin to v0.17.1
• e5977f8 update github/codeql-action digest to fdbfb4d
• 7bec2dc update graalvm/setup-graalvm digest to dec5790
• e16f901 update org.bouncycastle:bcprov-jdk18on to v1.83
• 7c7b4f9 update org.metaeffekt.core:ae-security to v0.148.0
• e160332 update org.metaeffekt.core:ae-security to v0.149.0

🚜 Refactorings

• 27c2e1a node: Extract a long condition to a variable
• ecf6a28 yarn2: Introduce a class for the locator
• e24a146 yarn2: Move the logic for isProject to Locator
• f019963 yarn2: Simplify extracting the module name

💡 Other Changes

• a14006c Revert "fix(git): Use Apache HttpClient for JGit HTTP transport"

72.0.0

What's Changed

🛠 Breaking Changes

• b99f1aa build(gradle)!: Use includeSubprojects for "clients" and "utils"

🐞 Bug Fixes

• df02d27 docker: Create a directory for the tmpfs mount
• ebc835c docker: Make importing custom certificates work
• 92ae160 node: Ensure to use the system certificate authority
• 196a1f4 vcs: Also update submodules with --init in the fallback
• 9219ba7 vcs: Make URL replacements also work for the root repository
• 85ab727 vcs: Properly configure URL replacements for submodules

🎉 New Features

• b824841 vcs: Allow to replace Git SSH / SCP URLs with HTTPS

✅ Tests

• 828794e vcs: Simplify Git workling tree assertions

🔧 Chores

• e94a9d1 pnpm: Align on using a single run overload

🚀 Dependency Updates

• 066c121 update actions/checkout action to v6
• 3a01f2e update com.github.gmazzo.buildconfig to v6
• 4594268 update ksp monorepo to v2.3.3
• a8f4e4f update org.springframework:spring-core to v7.0.1

🚜 Refactorings

• 2a34302 gradle: Move subproject inclusion logic to a function
• 90031fc vcs: Use common updateArgs

71.5.0

What's Changed

🐞 Bug Fixes

• 96783c1 conan: Fix Conan profile path and file Analyzer roots
• 5e6ea82 downloader: Do not re-throw if unpackTryAllTypes() failed
• 04cadf9 git: Use Apache HttpClient for JGit HTTP transport
• 9e137ea model: Enable the new Spring package curation provider by default
• 41a3e69 spdx-utils: Make license choice matching order-dependent

🎉 New Features

• 0288b8f cocoapods: Improve extracting the VCS info
• d18c822 cocoapods: Improve handling for dependencies with checkout option
• 7706593 conan: Add configurable optional path of a Conan profile
• e40ada3 downloader: Add a sanity check on the mime-type for unpackable files
• be610e3 spring: Automatically curate Spring Boot VCS paths

✅ Tests

• 6062be1 python: Update expected results

📖 Documentation

• 26b3611 conan: Add comment why settings are not passed in one case
• 64d27bc model: Add a reference how to disable the Spring curation provider
• 001ffc8 Clarify which package curation / configuration providers are added

🔧 Chores

• c3bb126 evaluator: Shorten a variable name to avoid wrapping
• 92daf46 evaluator: Simplify code to create a composite provider

🚀 Dependency Updates

• c995e69 update actions/checkout digest to 93cb6ef
• 68ad3b1 update aws-java-sdk-v2 monorepo to v2.39.0
• cbd0eff update com.autonomousapps:dependency-analysis-gradle-plugin to v3.5.0
• ae9329d update com.charleskorn.kaml:kaml to v0.103.0
• 111cf53 update com.charleskorn.kaml:kaml to v0.104.0
• 10b1231 update com.scanoss:scanoss to v0.12.0
• fac1e49 update github/codeql-action digest to e12f017
• da62770 update gradle to v9.2.1
• bf78d00 update jetbrains/qodana-action action to v2025.2.2
• ddcd6b5 update kotest to v6.0.5
• 4d5adf4 update okhttp monorepo to v5.3.1
• 5c6f16e update okhttp monorepo to v5.3.2
• 67029f7 update org.tukaani:xz to v1.11
• b27c243 update org.wiremock:wiremock to v3.13.2

🚜 Refactorings

• e09429d cocoapods: Clear the podspec cache upfront
• fac0ce5 cocoapods: Factor out CheckoutOption.toVcsInfo()
• 5114639 cocoapods: Factor out Podspec.toVcsInfo()
• 82018d9 cocoapods: Factor out getPodspec()
• 80e3e8a cocoapods: Improve lockfile related variable names
• 544035b cocoapods: Inline dependencies
• 00cb532 cocoapods: Inline id
• d7606a9 cocoapods: Inline a lockfile variable
• 99edd91 cocoapods: Remove Dependency.resovedPod
• c3fd049 cocoapods: Remove a usage of Dependency.resolvedPod
• 9a5b0da cocoapods: Remove two properties from Lockfile.Pod
• c372599 cocoapods: Simplify withResolvedPaths()
• 3bc2369 Move Spring-specific logic to a curation provider

71.4.0

What's Changed

🐞 Bug Fixes

• 8c23667 fossid-webapp: Do not delete uploaded content after scan

🎉 New Features

• 8710b76 GradleInspector: Add custom JDK download capability
• a984ad5 cocoapods: Simplify dependency comparison
• dcd5e2c ort-utils: Handle macOS in singleContainedDirectoryOrThis()

⚡ Performance Enhancements

• 65d6eb1 analyzer: Avoid unnecessary graph reconstruction

✅ Tests

• bf24139 conan: Update expected results
• 349cfc5 pub: Add a test for lockfile deserialization

📖 Documentation

• 1573c56 analyzer: Add docs for package manager dependency resolution classes
• 48a4367 analyzer: Explain how replacing package manager dependencies works
• 77a4844 analyzer: Improve PackageManagerDependency class docs
• bdeedb2 pub: Explain the need for the internal buildSerialDescriptor

🔧 Chores

• f3a1230 analyzer: Add logging for resolving package manager dependencies
• 2303ec3 analyzer: Simplify the ProjectScopeDependencyNode constructor
• a795b53 cocoapods: Use the canonical path for running the command
• 78fce9c common: Normalize the working directory (for logging)
• f8a1708 pub: Do not call {begin,end}Structure() for YAML serializers
• f6407bc pub: Simplify parsePubspec() signatures a bit
• 53c2023 Add early returns for comparing empty dependencies
• be10d3d Align with new Markdownlint rules
• 25934a5 Simplify various KSerializers

🚀 Dependency Updates

• 5be55f5 update github/codeql-action digest to 014f16e
• fc36bb8 update org.springframework:spring-core to v6.2.13
• c01c5f1 update org.springframework:spring-core to v7

🚜 Refactorings

• 2448370 analyzer: Extract the package manager dependency check
• a57105b ort-utils: Split out downloading the JDK from installJdk

71.3.0

What's Changed

🎉 New Features

• f00c59e node: Also guess author names when missing from JsonObjects

🔧 Chores

• c893430 node: Simplify code a bit by combining author parsing cases

🚀 Dependency Updates

• 9e024c3 update com.vanniktech:gradle-maven-publish-plugin to v0.35.0
• c71a6ec update org.graalvm.buildtools:native-gradle-plugin to v0.11.3

🚜 Refactorings

• aa486b5 analyzer: Separate out utilities to parse author information
• 55fee4b node: Extract guessing the author name to a common function

💡 Other Changes

• 6c1faf0 style(node): Remove one level of nesting a when case

71.2.0

What's Changed

🐞 Bug Fixes

• a445954 go: Make a ModuleInfoFile's origin optional
• 6fbea4b model: Fix issues with computing the shortest paths
• b1a51f0 node: Do not fail completely if parsing a single package fails

🎉 New Features

• ec50a84 go: Add version and time to ModuleInfoFile for completeness
• cf5616f go: Make disabling the GOPROXY / "direct" access optional
• 98caf3f node: Tolerate authors with only an email address

📖 Documentation

• 43e1070 analyzer: Fix a typo in a code comment
• 4a83dd2 go: Add a link to the upstream data model for info files
• dd43e02 go: Be more specific about the directory for .info files

🔧 Chores

• 722caed buildSrc: Consistently call add on freeCompilerArgs
• 21324f4 model: Remove a check which cannot fail
• 746190d model: Simplify getShortestPaths()
• b781577 model: Use a more speaking and consistent name for parent
• 538c725 model: Use a more speaking name for node
• 24c66b4 model: Use a simpler name for pkgRef
• 0839b7b model: Use destructuring for readability

🚀 Dependency Updates

• 17f26f5 update aws-java-sdk-v2 monorepo to v2.38.1
• ef4f461 update ch.qos.logback:logback-classic to v1.5.21
• 3fdc5f9 update ksp monorepo to v2.3.2
• a6dd03a update org.asciidoctor:asciidoctorj to v3.0.1
• 711e74c update org.cyclonedx:cyclonedx-core-java to v11.0.1

🚜 Refactorings

• 42c4d5e model: Initialize the queue in one line
• 829f6ac model: Move getShortestPathsForScope() to the top level
• 1c24c2f model: Move a requires check upwards the call tree

71.1.0

What's Changed

🐞 Bug Fixes

• 4d3f6ce fossid: Ignore SocketTimeoutException on deletion of archive
• c871bbf fossid-webapp: Ignore the archive prefix for marked files

🎉 New Features

• dc27c01 vulnerable-code: Support getting summary / description information

📖 Documentation

• b76402b vulnerable-code: Add links to upstream meta data classes
• 21ba6f9 website: Omit "the" before "ORT"
• 8b81513 Change Docker container home directory to /home/ort

🔧 Chores

• ffba120 analyzer: Simplify resolvePackageManagerDependencies() a bit
• 275226b vulnerable-code: Name all copy() parameters

🚀 Dependency Updates

• 971e1eb docker: Upgrade to python-inspector 0.15.0
• 10318a1 update com.autonomousapps:dependency-analysis-gradle-plugin to v3.4.1
• 5dece62 update com.fasterxml.jackson:jackson-bom to v2.20.1
• 7f4f6c5 update com.github.gmazzo.buildconfig to v5.7.1
• ca19cd6 update docker/metadata-action digest to 318604b
• f9cd7ba update github/codeql-action digest to 0499de3
• 0fe8cbb update ksp monorepo to v2.3.1
• c4d8b2b update okhttp monorepo to v5.3.0
• 1f86fd5 update org.glassfish.jersey.core:jersey-common to v4