averello/repomix-mirror
1
0
Fork 0
mirror of https://github.com/yamadashy/repomix.git synced 2026-05-30 11:18:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into perf/auto-perf-tuning

Browse Source
This commit is contained in:
Claude
2026-05-27 18:11:29 +00:00
parent 95238c91b5 6d7800eada
commit f1b063aa73
1 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/releases/v1.x/v1.14.1.md
+61
View File
@@ -0,0 +1,61 @@
This release patches two security advisories and continues the performance work from v1.14.0 with a persistent token-count cache, plus expanded Dart parsing and Nix support. Updating to 1.14.1 is recommended for all users.
## Security 🔒
### Argument Injection via `--remote-branch` (GHSA-9mm9-rqhj-j5mx)
A crafted `--remote-branch` value could be passed to `git` as an option rather than a ref, enabling argument injection (CWE-88, High). Repomix now validates refs and inserts `--end-of-options` before the ref in `git fetch` and `git checkout`, so a branch value can never be interpreted as a git option.
Special thanks to @kakashi-kx (Abhijith S) for the responsible disclosure! 🎉
### MCP `attach_packed_output` Secret-Scan Bypass (GHSA-hwpp-h97w-2h3j)
The MCP `attach_packed_output` flow could register an arbitrary local file and read it back through `read_repomix_output` / `grep_repomix_output` without the secret scan that `file_system_read_file` applies (CWE-200, Moderate). Those tools now run the same secret scan on attach-sourced files before returning content, closing the bypass.
Special thanks to @dodge1218 for the responsible disclosure! 🎉
## Improvements ⚡
### Expanded Dart Code Parsing (#1515)
The Dart Tree-sitter query now captures mixins, typedefs, getters, setters, and factory constructors. Compressed output (`--compress`) for Dart files now preserves more of the file's structure.
### Content-Addressed Token-Count Disk Cache (#1562, #1580)
Token counts are now cached on disk, keyed by content hash. Re-packing a repository reuses counts for unchanged files instead of re-tokenizing them, and the eager metrics warm-up is skipped when the cache is already populated — speeding up repeated runs on the same repository.
### Faster Binary Detection (#1542)
Repomix now attempts a UTF-8 decode before the binary-file check, avoiding a pathological slow path in the protobuf detector on certain inputs.
### Node.js Support Update (#1556)
Node.js 20 is no longer supported and Node.js 26 is now supported. Repomix requires Node.js 22 or later.
### Available on nixpkgs
Repomix is available in [nixpkgs](https://search.nixos.org/packages?query=repomix), so Nix users can install it directly:
```bash
nix-shell -p repomix
```
## Development 🛠️
### Nix Flake with Development Shell (#1525)
Added a `flake.nix` providing a development shell (Node.js 24 + Git) for contributors using Nix:
```bash
nix develop
```
## How to Update
```bash
npm update -g repomix
```
---
As always, if you have any issues or suggestions, please let us know on GitHub issues or our [Discord community](https://discord.gg/wNYzTwZFku).