v2.4.1

What's Changed

• chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by @dependabot[bot] in #718
• Enforce a stricter validation on the repo name for TAP 4 by @rdimitrov in #720

Full Changelog: v2.4.0...v2.4.1

v2.4.0

What's Changed

• Add BitLength validation for SuccinctRoles by @rdimitrov in #716
• Add thread safety documentation for key types by @rdimitrov in #715
• Use restrictive permissions (0700) for cache directories by @rdimitrov in #714
• Breaking change: Replace panic with error return in Key.ID() by @rdimitrov in #713

Full Changelog: v2.3.1...v2.4.0

v2.3.1

What's Changed

• chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.45.0 by @dependabot[bot] in #702
• Resolve govulncheck errors by bumping go to 1.24.11 by @rdimitrov in #707
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @dependabot[bot] in #704
• modern go (1.20+) improvements by @udf2457 in #705
• chore(deps): bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 by @dependabot[bot] in #706
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.1 to 0.10.0 by @dependabot[bot] in #708
• Perform type assertion by @kommendorkapten in #710
• Add tests for failing type assertions by @rdimitrov in #711
• Verify threshold is valid by @kommendorkapten in #712

Full Changelog: v2.3.0...v2.3.1

v2.3.0

What's Changed

• Update the config for govulncheck by @rdimitrov in #697
• Bump Go to 1.24.9 by @rdimitrov in #698

Full Changelog: v2.2.0...v2.3.0

v2.2.0

What's Changed

• fix: treat http 403 as an updater error by @MDr164 in #687
• chore(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.8.7 by @dependabot[bot] in #646
• chore(deps): bump github.com/cenkalti/backoff/v5 from 5.0.2 to 5.0.3 by @dependabot[bot] in #690
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.0 to 0.9.1 by @dependabot[bot] in #691
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 by @dependabot[bot] in #692
• chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @dependabot[bot] in #693
• chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @dependabot[bot] in #694

Full Changelog: v2.1.1...v2.2.0

v2.1.1

What's Changed

Fixed a regression that can fail clients using the DefaultFetcher{} directly without using the constructor.

• Set a default HTTP client for DefaultFetcher in DownloadFile method if none is set by @malancas in #686

Full Changelog: v2.1.0...v2.1.1

v2.1.0

What's Changed

• Move the repository package under examples/repository by @rdimitrov in #656
• docs: Joshua retiring as a maintainer by @joshuagl in #657
• fix: multirepo potential nil pointer dereference by @MrDan4es in #658
• chore(deps): bump golang.org/x/crypto from 0.23.0 to 0.31.0 by @dependabot in #661
• chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @dependabot in #662
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @dependabot in #663
• Use the correct verifier for RSA PSS scheme keys by @rdimitrov in #625
• updater.go: replace os.WriteFile with file.Write() by @udf2457 in #669
• Remove readFile() and reverseSlice() in favour of stdlib by @udf2457 in #671
• updater.go: replace url.QueryEscape() with url.PathEscape() by @udf2457 in #675
• Bump Go to 1.22 by @rdimitrov in #677
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @dependabot in #679
• chore: make function comment match function name by @suchsoon in #680
• Update README.md by @trishankatdatadog in #681
• chore(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 by @dependabot in #683
• Allow users to configure custom http.Client or http.RoundTripper in DefaultFetcher by @malancas in #682
• Allow users to configure retry behavior in DefaultFetcher by @malancas in #684
• Added back timeout to the fetcher DownloadFile method to avoid a breaking change. by @kommendorkapten in #685

New Contributors

• @MrDan4es made their first contribution in #658
• @suchsoon made their first contribution in #680

Full Changelog: v2.0.2...v2.1.0

v2.0.2

What's Changed

• Error in case the delegated role is missing from the snapshot by @rdimitrov in #652

Full Changelog: v2.0.1...v2.0.2

v2.0.1

What's Changed

Security

• Fix incorrect delegation lookups that can make go-tuf download the wrong artifact by @rdimitrov (Thanks to @AdamKorcz for reporting it). This fixes CVE-2024-47534 GHSA-4f8r-qqr9-fq8j

Other

• Update MAINTAINERS.md by @trishankatdatadog in #647
• Update the staging TUF repo in the multi-repo example by @rdimitrov in #650
• Fix branch name in multi-repo client example by @rdimitrov in #651

Full Changelog: v2.0.0...v2.0.1

v2.0.0

Breaking changes

• This is the first release of go-tuf v2 and it's a complete re-write indicated by the new major version.
• We also decided to leave go-tuf as a library only.

What's Changed

• chore: fixes the CI status badge and updates the README.md file by @rdimitrov in #569
• chore(deps): bump securesystemslib from 0.30.0 to 0.31.0 by @dependabot in #570
• docs: add Marvin Drees to the list of go-tuf maintainers by @rdimitrov in #571
• chore(deps): bump actions/setup-python from 4.7.1 to 5.0.0 by @dependabot in #572
• chore: enable grouping of minor and patch updates. by @kommendorkapten in #580
• fix: update tests.yml bumping golangci-lint by @rdimitrov in #582
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #573
• chore(deps): bump github/codeql-action from 2 to 3 by @dependabot in #574
• chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #575
• chore(deps): bump golang.org/x/term from 0.15.0 to 0.16.0 by @dependabot in #577
• chore(deps): bump the minor-patch group with 2 updates by @dependabot in #581
• feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 by @rdimitrov in #583
• Update license from BSD-2-Clause to Apache-2.0 by @rdimitrov in #585
• chore(deps): bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 by @dependabot in #584
• Replace main with master in workflows by @kipz in #587
• Do not pin to minor Go versions in go.mod by @rdimitrov in #588
• Fixes for windows & enable in CI by @kipz in #586
• Bring back SECURITY.md by @trishankatdatadog in #591
• remove dependency on golang.org/x/exp by @mikedanese in #600
• Refactor errors to use pointer receivers by @codysoyland in #602
• move testutils under an ./internal/ directory by @mikedanese in #601
• Enable macos and windows runners for examples.yml and tests.yml by @rdimitrov in #604
• Do not run CI for all Go versions and use caching by @rdimitrov in #606
• chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 by @dependabot in #610
• Don't rename unless file is in same dir by @jonnystoten in #603
• Use filepath.Join when combining filesystem components by @kommendorkapten in #611
• Always use forward slash when splitting target names by @kommendorkapten in #612
• chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @dependabot in #614
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in #615
• chore(deps): use stdlib ed25519 instead of x by @MDr164 in #620
• chore(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @dependabot in #621
• chore(ci): bump action hashes by @MDr164 in #618
• chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @dependabot in #622
• Silence govulncheck by @MDr164 in #619
• feat: replace logrus in sim with slog by @MDr164 in #617
• repository_simulator_setup.go: Use filepath.Join() instead of concatenation by @udf2457 in #624
• Fixes README references from rdimitrov/go-tuf-metadata to theupdateframework/go-tuf by @rdimitrov in #626
• fix: use SHA384 for ECDSA P384 by @mrjoelkamp in #629
• chore(deps): bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @dependabot in #627
• Remove nil error from being printed in "persist metadata" error message by @malancas in #633
• fix: deep targets file path by @mrjoelkamp in #632
• feat: add missing CODEOWNERS and MAINTAINERS file by @MDr164 in #635
• Update MAINTAINERS by @trishankatdatadog in #636
• chore(deps): bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 by @dependabot in #637
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #640
• fix: configurable temp file directory by @mrjoelkamp in #638
• export API to set RefTime of Updater by @AdamKorcz in #641
• Add the ability to customize the HTTP user agent by @steiza in #642
• Increase the default value for MaxRootRotations by @kommendorkapten in #645

New Contributors

• @kipz made their first contribution in #587
• @mikedanese made their first contribution in #600
• @codysoyland made their first contribution in #602
• @jonnystoten made their first contribution in #603
• @MDr164 made their first contribution in #620
• @mrjoelkamp made their first contribution in #629
• @malancas made their first contribution in #633
• @AdamKorcz made their first contribution in #641
• @steiza made their first contribution in #642

Full Changelog: v0.7.0...v2.0.0