From ff1dd4a443394afa6540fedd949e0d8b41e2dad7 Mon Sep 17 00:00:00 2001 From: Vincent Guyader Date: Wed, 13 May 2026 10:26:33 +0200 Subject: [PATCH] chore: bump to 1.0.0 for the first major release Renames the unreleased 0.3.0 development line to 1.0.0: - `DESCRIPTION`: `Version: 0.3.0` -> `1.0.0`. - `NEWS.md`: section header `# dockerfiler 0.3.0` -> `# dockerfiler 1.0.0`, with a short lead paragraph explaining why a major-version bump (API maturity after the stabilisation cycle: input-validation family, codegen hardening against renv.lock / DESCRIPTION injection, vendored-renv removal, multi-arch / PPM-binaries defaults). The three internal "since the 0.3.0 hardening" / "predates 0.3.0" pointers in the Security bullets are updated to "1.0.0". - `cran-comments.md`: section header retitled "Major changes in 1.0.0"; the three "0.3.0" mentions in the body retargeted to "1.0.0". - `README.md` re-knit (the live `desc::desc_get_version()` chunk picks up the new version). No R code, no test, no NAMESPACE, no Rd impact. --- DESCRIPTION | 2 +- NEWS.md | 16 ++++++++++++---- README.md | 2 +- cran-comments.md | 11 ++++++----- 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/DESCRIPTION b/DESCRIPTION index f269ea1..b80ded2 100644 --- a/DESCRIPTION +++ b/DESCRIPTION @@ -1,6 +1,6 @@ Package: dockerfiler Title: Easy Dockerfile Creation from R -Version: 0.3.0 +Version: 1.0.0 Authors@R: c( person("Colin", "Fay", , "contact@colinfay.me", role = c("cre", "aut"), comment = c(ORCID = "0000-0001-7343-1846")), diff --git a/NEWS.md b/NEWS.md index 8b77f32..065b255 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,4 +1,12 @@ -# dockerfiler 0.3.0 +# dockerfiler 1.0.0 + +First major release. The version is bumped to 1.0.0 to signal API +maturity after a stabilisation cycle that overhauled the +input-validation surface, hardened the codegen against `renv.lock` / +`DESCRIPTION` injection, removed the vendored copy of `{renv}`, and +flipped the high-level generators' defaults to multi-arch +`rocker/r-ver` + binary packages from Posit Public Package Manager. +See below. ## Breaking changes @@ -64,9 +72,9 @@ line without passing through `.validate_renv_version()`. A crafted `renv.lock` could break out of the inner R string and execute arbitrary code as root at `docker build` time. The user-supplied - `renv_version=` argument has been validated since the 0.3.0 + `renv_version=` argument has been validated since the 1.0.0 shell-context hardening above, but the lockfile-fallback path was - missed; the bug itself predates 0.3.0 (it existed while the + missed; the bug itself predates 1.0.0 (it existed while the vendored `{renv}` parser was in use). The validator is now applied to the resolved value whatever its source. Found by an internal security audit before release. @@ -89,7 +97,7 @@ via the `remotes::install_version("", ...)` install RUNs on the default `build_from_source = TRUE` path. Both the package name and every dependency-field name are now validated against the CRAN - package-name grammar at function entry. The bug predates 0.3.0. + package-name grammar at function entry. The bug predates 1.0.0. Found by the same internal security audit as the `dock_from_renv()` fix above. diff --git a/README.md b/README.md index 846e551..0c31b65 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ You’re reading the doc about version : ``` r desc::desc_get_version() -#> [1] '0.3.0' +#> [1] '1.0.0' ``` ## Installation diff --git a/cran-comments.md b/cran-comments.md index f4036e7..2d62323 100644 --- a/cran-comments.md +++ b/cran-comments.md @@ -20,10 +20,11 @@ clock skew on the build VM; the package itself is unaffected.) CRAN submission; the win-builder result will follow by email and will be forwarded to CRAN if it surfaces anything new. -## Major changes since 0.2.6 +## Major changes in 1.0.0 -A focused 0.3.0 release. Headline bullets (full details in -`NEWS.md`): +First major release. Version bumped from the 0.2.x development line +to 1.0.0 to signal API maturity after the stabilisation cycle +described below. Headline bullets (full details in `NEWS.md`): ### Breaking changes @@ -91,7 +92,7 @@ A focused 0.3.0 release. Headline bullets (full details in as root at `docker build` time. The validator is now applied to the resolved value whatever its source. (The bug predates this release; no published `{dockerfiler}` version carried the - 0.3.0 changeset, so there is nothing to coordinate with CRAN + 1.0.0 changeset, so there is nothing to coordinate with CRAN beyond noting it here.) ### Bug fixes @@ -116,7 +117,7 @@ local `{golem}` checkout was additionally grepped explicitly: the only `dockerfiler` references are to the public API (`dock_from_renv`, `dock_from_desc`, `Dockerfile`, `get_sysreqs`), whose signatures are preserved across this -release. The other 0.3.0 changes (default flip of `FROM` to +release. The other 1.0.0 changes (default flip of `FROM` to `rocker/r-ver`, of `repos` to `p3m.dev/cran/latest`, and of `user` to `"rstudio"`) are behavioural-default changes and do not break downstream call sites.