Skip to content

Releases: RefuseHQ/refuse

v0.1.4

Choose a tag to compare

@gok03 gok03 released this 10 Jun 13:45
ccecb2e

Cold-seed time drops from ~2h to ~3 min.

Added

  • runOsvBootstrap — on first boot, stream OSV's bulk all.zip (~200 MB compressed, every ecosystem) and seed all per-ecosystem watermarks in one pass.
  • REFUSE_OSV_CONCURRENCY env var (default 4) — caps the number of ecosystems fetched in parallel each delta tick.
  • OsvFetcher.openAllArchive() — streaming counterpart to fetchAllArchive.

Changed

  • runOsvDelta no longer round-robins one ecosystem per tick under a 60 s wall-clock cap. It now processes every ecosystem in parallel each tick with the configured concurrency. The 60 s budget was a Workers CPU-cap workaround that doesn't apply to a self-hosted Node runtime; on a populated DB, per-ecosystem deltas are tiny so each tick still completes in seconds.
  • First-boot bootstrap now calls the new osv:bulk job (not the per-tick rotation) when OSV has never recorded a successful run, so Maven (Log4Shell), crates.io, Go, RubyGems etc. are populated within the first few minutes instead of after a 2-hour rotation.

v0.1.3

Choose a tag to compare

@gok03 gok03 released this 10 Jun 13:45
5acf1be

Fixed

  • OSV rotation no longer gets stuck on the first ecosystem when its watermark is current. Previously, every 5-minute tick spent the 60s budget reading the ~200 MB npm zip rejecting every record on the watermark, and the rotation cursor never advanced — PyPI / Maven / distros effectively starved. Now: if the budget expires with zero records processed (i.e. caught up), the cursor advances anyway.
  • First-boot bootstrap is now per-source. An upgrade from an older image — where the volume has OSV data but the enrichment cron never fired — now kicks the enrichment job immediately instead of waiting up to 24 h for the next daily tick. Each ingestion source (osv, deps_dev, kev, epss, ghsa_direct, wolfi) is checked individually via ingestion_state.last_ok_at.

v0.1.2

Choose a tag to compare

@gok03 gok03 released this 10 Jun 13:45
92d59b1

UX-only release: visible progress in docker logs.

Added

  • Per-source ingestion progress lines with a 20-char ASCII bar in docker logs. Streaming sources (OSV per-ecosystem, EPSS) fill the bar against a calibrated per-ecosystem estimate; known-total sources (KEV, GHSA page, Wolfi, deps.dev batch) show real percentages. Fixed-width tag column so the bars align.

Changed

  • Per-source log lines now share a consistent refuse: ingest[name] ▶/✓/✗ … prefix instead of ad-hoc KEV: fetched=… upserted=… strings. Greppable and easier to read in docker logs -f.

v0.1.1

Choose a tag to compare

@gok03 gok03 released this 10 Jun 13:45
0c23ffe

First-boot UX + faster release builds. No API breakage.

Added

  • GET /readyz — returns 200 once every required ingestion source (osv, kev, epss, ghsa_direct, wolfi) has completed at least one successful pass; 503 with the pending list during bootstrap. Suitable for docker --health-cmd and k8s readinessProbe.
  • Per-source readiness snapshot via scheduler.getReadiness() (also exposed in the response body of /readyz).
  • KEV / EPSS / Wolfi now record ingestion_state rows so the admin /api/admin/sources panel shows their last-run status, matching the existing OSV + GHSA behavior.

Changed

  • First-boot bootstrap now kicks all three jobs (osv, deps-dev, enrichment) in parallel instead of only osv. KEV / EPSS / GHSA / Wolfi load in the first minute of uptime instead of waiting for the daily 5am UTC enrichment cron.
  • better-sqlite3 11 → 12. Ships a prebuilt binary for Node 24 (ABI v137) on both linux-x64 and linux-arm64, so the runtime image no longer needs python3/make/g++ to source-compile sqlite3 on first install. Multi-arch release builds drop from ~15 min to ~2 min.

Removed

  • docker/Dockerfile no longer installs build tools (python3, make, g++) in either stage — the prebuilt better-sqlite3 binary makes them unnecessary.

v0.1.0

Choose a tag to compare

@gok03 gok03 released this 10 Jun 13:45
5c59d06

First tagged release. The codebase has been usable for a while; this is the
first version where the container image at ghcr.io/refusehq/refuse:latest
actually exists.

Added

  • Community + governance docs: CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md, CODEOWNERS, issue + PR templates, .editorconfig, ARCHITECTURE.md, ROADMAP.md.
  • Dependabot and CodeQL workflows.
  • Cosign keyless signing + SLSA build provenance on every published image.

Changed

  • README polish: hero, badges, architecture diagram, cross-link to refuse-cli.