v1.9.21

v1.9.21

• 🛠️ Fixed NpmProvider to pass --min-release-age in npm's expected day-based format instead of converting it to seconds, so installs and updates now preserve values like 7 and 1.5 correctly.

min_release_age_days = f"{min_release_age:g}"
...
f"--min-release-age={min_release_age_days}"

• ✅ Expanded npm coverage in the test suite to verify install/update flag generation, preserve fractional day values, and exercise a live install path with min_release_age=7.

self.assertEqual(release_age_flags[0], "--min-release-age=7")
self.assertEqual(release_age_flags[0], "--min-release-age=1.5")

• 🚦 Refreshed GitHub Actions workflows to current action versions and opted the workflows into the Node 24 runtime path ahead of the runner deprecation window.

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'

• 📦 Bumped the package version to 1.9.21 and refreshed uv.lock to keep the editable package metadata aligned with the release.

v1.9.20

abx-pkg v1.9.20

Changes since v1.9.18:

• 🔒 Added Binary-level supply-chain controls and threaded them through every lifecycle path. Binary now carries postinstall_scripts and min_release_age, defaults them from ABX_PKG_POSTINSTALL_SCRIPTS / ABX_PKG_MIN_RELEASE_AGE, and passes them through install(), update(), load_or_install(), and uninstall() instead of leaving each provider to guess.

from abx_pkg import Binary, pip

binary = Binary(
    name="cowsay",
    binproviders=[pip],
    postinstall_scripts=False,
    min_release_age=7,
)
binary.load_or_install()

• 🛡️ Hardened Python package installs. PipProvider now injects no-build / age-gating controls for installs, prefers uv pip when available, and falls back to plain pip with binary-only installs and --uploaded-prior-to when supported by pip 26+.

uv pip install --no-build --exclude-newer=<cutoff> cowsay
pip install --only-binary :all: --uploaded-prior-to=<cutoff> cowsay

• 📦 Tightened npm/pnpm behavior and made the backend choice more predictable. NpmProvider now prefers a real npm binary when both npm and pnpm exist, rewrites commands when pnpm is the backend, applies --ignore-scripts / --min-release-age for npm installs, and writes pnpm-workspace.yaml with minimumReleaseAge so pnpm gets the same age gate without leaking npm-only flags into pnpm commands.

npm install --ignore-scripts --min-release-age=604800 --global cowsay

# pnpm-workspace.yaml
minimumReleaseAge: 10080

• ✅ Made min_version enforcement consistent and less surprising. Binary.min_version=None now clearly means "no version floor", loaded binaries are validated in one shared path after provider resolution, and provider-level install/update commands now thread version constraints for pip, npm, cargo, and gem.

from abx_pkg import Binary, env, brew

java = Binary(
    name="java",
    min_version="11.0.0",
    binproviders=[env, brew],
).load_or_install()

• 🍺 Improved provider resolution and version detection in the places that were tripping real installs. Brew lookups now search libexec/bin paths in both opt and Cellar, brew install/update can skip post-install hooks by default, and the shared version parser now reads from stderr as well as stdout, which fixes tools like java -version.

brew install --skip-post-install openjdk
java -version

• 🧰 Fixed a few runtime sharp edges outside the installers. Lazy provider singletons and provider-name exports now read model_fields from the class rather than assuming an instance shape, debug logging now falls back to ClassName(...) when repr() is broken or expensive, and Ansible/Pyinfra provider imports are delayed through importlib so optional integrations fail later and more cleanly.

from abx_pkg import ALL_PROVIDER_NAMES, apt, pip

print(ALL_PROVIDER_NAMES)
print(apt, pip)

• 🧪 Expanded coverage and release tooling substantially. The test suite gained focused checks for min_version, stderr version parsing, pip/npm security flags, pnpm workspace config updates, and logging safety, while CI now syncs all extras/groups and normalizes PNPM_HOME handling across Linux/macOS. The release script was also hardened so reruns can publish an already-bumped unreleased version, skip duplicate PyPI uploads, and avoid recreating an existing GitHub release.

uv sync --all-extras --all-groups
python -m unittest tests.TestSecurityControls
./bin/release.sh

• 🔧 Refreshed uv.lock metadata to keep the lockfile aligned with the current exclude-newer window used for reproducible installs.

v1.9.18

Highlights

This release tightens provider and release automation around real package lifecycle behavior.

• Simplifies release publishing by removing the separate publish workflow and having the release path publish artifacts directly before creating the GitHub release.
• Improves CI coverage for provider lifecycle tests, including the environment setup needed for pnpm-backed npm provider flows.
• Makes NpmProvider set up PNPM_HOME and PATH correctly when pnpm is the resolved installer.

Included Changes

• removed .github/workflows/publish.yml
• passed PYPI_PAT_SECRET through the release workflow into bin/release.sh
• updated bin/release.sh to publish distributions before cutting the release
• tightened provider tests around update, uninstall, and bootstrap behavior

Artifacts

Attached to this release:

• source distribution (.tar.gz)
• universal wheel (.whl)

v1.9.15

Highlights

• PipProvider now prefers uv pip for install/show/uninstall operations and falls back to plain pip when uv is unavailable.
• New pip_venv environments bootstrap uv lazily alongside pip and setuptools.
• Absolute PIP_BINARY overrides are now respected, including during pip_venv setup.

npm / pnpm

• NpmProvider now prefers pnpm when available and falls back to npm otherwise.
• pnpm is bootstrapped lazily on the first install instead of requiring preinstallation.
• npm_prefix=... is preserved for pnpm operations using prefix-scoped commands.
• Absolute NPM_BINARY overrides still win over pnpm auto-selection.

Other Changes

• Added DRY_RUN=1 environment support on top of provider-level dry-run mode.
• Lowered the default package logging level to WARNING.
• Added bin/release.sh, updated bin/publish.sh, and added GitHub Actions workflows for release-state validation and PyPI publishing.
• Expanded unit and live coverage for the new pip/npm execution paths.

Validation

• uv run prek run --all-files
• Focused pip/npm unit tests via uv run python -m unittest ...
• Live npm and pip lifecycle tests via uv run python -m unittest tests.LiveUpdateAndUninstallTest...
• uv build

v1.9.14: Provider lifecycle fixes and full type-checking coverage

• Added prek-driven quality gates with ruff, ty, and pyright, and expanded static type coverage across abx_pkg, tests.py, and the Django example project
• Fixed provider lifecycle regressions, including canonical brew formula binary resolution, stale-path uninstall handling, and a shared install-cache bug that broke real uninstall -> install verification flows across multiple providers
• Hardened optional integrations and runtime checks for rich, ansible, and pyinfra, including accurate optional-dependency detection and safer installer import/dispatch behavior
• Cleaned up runtime typing edges in settings, admin, views, logging, semver, and provider overrides without papering over errors with Any, cast, or type: ignore
• Verified the release against live package-manager lifecycle tests and a fully clean prek run --all-files

Full Changelog: v1.9.5...v1.9.14

v1.9.5: Logging overhaul with opt-in Rich output and cleaner fallback traces

Highlights

• Added package-wide, idiomatic Python logging with opt-in configuration via configure_logging(...) and optional Rich support via configure_rich_logging(...) and abx-pkg[rich].
• Cleaned up debug traces so they focus on the useful flow: internal underscore helpers and provider-selection noise are omitted, lifecycle logs read more naturally, and return logs mirror the original call shape.
• Improved failure logging for multi-provider fallback paths so intermediate provider failures stay at DEBUG, while only the final all-providers-failed result emits a single call-shaped ERROR ... raised ... line.
• Updated Binary(...) and ShallowBinary(...) rendering to include abspath, version, and a shortened trailing SHA suffix for easier trace inspection.
• Expanded logging and provider regression coverage, including single-provider fallback, multi-provider fallback success, and full failure cases.

Notes

• Rich output remains opt-in and does not change default stdlib logging behavior.
• README logging docs were already in good shape and remain concise.
• Verification on the release commit: uv run pytest tests.py -q -> 62 passed, 11 skipped.

v0.7.1: Added lazy provider singletons, rich logging, and stronger CI coverage

Highlights

• Added lazy provider singleton imports such as from abx_pkg import apt, brew, pip, npm, env, instantiated on first access and cached for reuse.
• Added package-level logging helpers with opt-in Rich support via configure_logging(...), configure_rich_logging(...), and the abx-pkg[rich] extra.
• Strengthened live lifecycle coverage and CI reliability across macOS and Linux, including better Nix/Docker setup and clearer live-test diagnostics.
• Refreshed the README and examples around the simplified provider API and new logging configuration options.

Lazy Provider Singletons

Built-in providers are now available as explicit lazy imports:

from abx_pkg import apt, brew, pip, npm, env

This keeps common usage concise without eagerly instantiating every provider at import time. To preserve that laziness, provider singleton names are intentionally excluded from from abx_pkg import *; use explicit imports when you want the cached singleton instances.

Logging

This release adds a dedicated abx_pkg.logging module and re-exports the main helpers from abx_pkg:

• logger and get_logger(...) for standard package-scoped logging
• configure_logging(...) for stdlib handler setup
• configure_rich_logging(...) for colorized terminal output when rich is installed

abx-pkg still stays quiet by default unless your application configures logging explicitly.

Validation

• uv run pytest tests.py -q (57 passed, 11 skipped)

Full Changelog: v0.7.0...v0.7.1

v0.7.0: Added cargo/gem/go_get/nix/docker providers and install_args overrides

Highlights

• Added built-in CargoProvider, GemProvider, GoGetProvider, NixProvider, and DockerProvider support out of the box.
• Expanded destructive end-to-end lifecycle coverage and CI for package-manager workflows across macOS and Linux.
• Renamed binary override key overrides.packages to overrides.install_args throughout the provider API.

New BinProviders

This release adds first-class support for:

• cargo
• gem
• go get / go install via GoGetProvider
• nix
• docker

DockerProvider uses image refs as install args, writes local wrapper shims that execute via docker run, and reports the image tag as the loaded version.

Override API Change

Binary.overrides[provider_name]['packages'] has been renamed to Binary.overrides[provider_name]['install_args'].

If you were customizing install targets before, update code like this:

# before
overrides = {
    'pip': {'packages': ['yt-dlp[default,curl-cffi]']},
    'docker': {'packages': ['koalaman/shellcheck:v0.10.0']},
}

# after
overrides = {
    'pip': {'install_args': ['yt-dlp[default,curl-cffi]']},
    'docker': {'install_args': ['koalaman/shellcheck:v0.10.0']},
}

The compatibility work in this release keeps the provider internals aligned around install_args, including install/update/uninstall flows and provider override resolution.

Validation

• Standard test suite passes locally.
• Live destructive lifecycle tests were exercised locally for the new providers (cargo, gem, go_get, nix, docker).

v0.6.5: Added update/uninstall APIs with live CI coverage across providers

• ✨ Added first-class update() and uninstall() APIs to both Binary and BinProvider, with built-in implementations for brew, npm, pip, apt, pyinfra, and ansible
• ✅ Added rigorous live end-to-end lifecycle tests that run real install -> update -> uninstall flows in isolated npm / pip environments and real host package managers where available
• 🤖 Fixed AnsibleProvider so the community.general.homebrew module works correctly on Apple Silicon by resolving the real brew path and forcing ansible-runner to use the active venv toolchain
• 🧪 Expanded CI to run the destructive package-manager tests on both ubuntu-latest and macOS-latest, with Python 3.11, 3.12, 3.13, and 3.14
• 📝 Updated the README to document the new lifecycle methods and removed the completed TODO for update/remove actions

Full Changelog: v0.6.4...v0.6.5

v0.6.4: Consistent euid handling across providers with safer Docker/root installs

• 🦸 Unified euid detection in BinProvider so providers share the same UID-selection rules
• 🐳 Kept global npm and pip installs running as real root in Docker/container environments while still respecting owned prefixes / venvs for local installs
• 🙋 Added fallbacks for current UIDs that do not exist in /etc/passwd, preventing provider exec from crashing in containerized environments
• 🧪 Added regression tests for unmapped installer-owner UIDs, root/global install behavior, and prefix-owner precedence
• 📦 Bumped packaging metadata and refreshed dependencies for the 0.6.4 release line

Full Changelog: v0.6.1...v0.6.4