commerce-docs · dshevtsov · Apr 13, 2026 · Apr 11, 2026 · Apr 11, 2026 · Apr 11, 2026
diff --git a/.env.example b/.env.example
@@ -0,0 +1,12 @@
+# GitHub personal access token (public GitHub / github.com)
+# Required. Generate at https://github.com/settings/tokens
+WHATSUP_GITHUB_ACCESS_TOKEN=
+
+# GitHub Enterprise Server hostname (e.g. git.example.com).
+# Optional — defaults to github.com (for GHEC).
+# Required only when using 'enterprise:' repo prefixes in .whatsup.yml.
+WHATSUP_GITHUB_ENTERPRISE_HOSTNAME=
+
+# GitHub Enterprise personal access token
+# Required only when using 'enterprise:' repo prefixes in .whatsup.yml.
+WHATSUP_ENTERPRISE_ACCESS_TOKEN=
diff --git a/.gitignore b/.gitignore
@@ -11,7 +11,8 @@
 .rspec_status
 
 
-/credentials.yml
+/.env
 /.whatsup.yml
 /output/
-*.gem
+*.gem
+.cursor/
diff --git a/.markdownlint.json b/.markdownlint.json
@@ -0,0 +1,8 @@
+{
+  "MD013": {
+    "line_length": 120,
+    "code_blocks": false,
+    "tables": false,
+    "headings": false
+  }
+}
diff --git a/.netrc.example b/.netrc.example
@@ -0,0 +1,13 @@
+# ~/.netrc — fallback authentication when environment variables are not set.
+# File must have permissions 600: chmod 600 ~/.netrc
+#
+# Public GitHub
+machine api.github.com
+  login <github-username>
+  password <personal-access-token>
+
+# GitHub Enterprise Server (self-hosted only)
+# Not needed for GitHub Enterprise Cloud (GHEC) — use WHATSUP_ENTERPRISE_ACCESS_TOKEN in .env instead.
+machine <hostname>
+  login <enterprise-username>
+  password <enterprise-personal-access-token>
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-ruby-3.3.0
+ruby-3.4.8
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,36 @@
 # Changelog
 
+## 2.0.0
+
+### Breaking changes
+
+- Removed `membership` field from YAML output and configuration — the org-membership check has been removed entirely
+- Enterprise hostname must now be set via the `WHATSUP_GITHUB_ENTERPRISE_HOSTNAME` environment variable instead of the `enterprise` key in `.whatsup.yml`, so the config file is safe to commit to git
+- Enterprise PR links in generated output now use the format `enterprise:org/repo/pull/N` instead of the internal hostname URL, hiding the private hostname from committed files
+
+### New features
+
+- GitHub Enterprise Cloud (GHEC) support — `WHATSUP_GITHUB_ENTERPRISE_HOSTNAME` defaults to `github.com` (GHEC) when unset
+- PR data fetching replaced N+1 REST calls with a single GraphQL `nodes(ids: [...])` batch query for a significant performance improvement
+- Query logging is now opt-in: set `DEBUG=1` to print GitHub search queries to stderr
+- Unauthenticated mode now warns at startup and reminds how to set credentials
+- `.netrc` file permission check warns when the file is world-readable
+
+### Security fixes
+
+- YAML configuration is now loaded with `safe_load` to prevent arbitrary object deserialization
+- Config file path validated against path traversal (`..` and absolute paths rejected)
+- Enterprise hostname validated against an allowlist regex; private/internal IP ranges are blocked
+- `.netrc` path resolved with `File.expand_path('~/.netrc')` for correctness in containerized environments
+
+### Bug fixes
+
+- `faraday-retry` promoted from development to runtime dependency — fixes missing-gem warning for consumers
+
+### Maintenance
+
+- Updated all dependencies to their latest compatible versions
+
 ## 1.2.0
 
 Maintenance:

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,97 +1,100 @@
 PATH
   remote: .
   specs:
-    whatsup_github (1.2.0)
+    whatsup_github (2.0.0)
+      dotenv (~> 3.0)
+      faraday-retry (~> 2.2)
       netrc (~> 0.11)
       octokit (~> 10.0)
       thor (~> 1.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
-    aruba (2.3.1)
-      bundler (>= 1.17, < 3.0)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
+    aruba (2.3.3)
+      bundler (>= 1.17)
       contracts (>= 0.16.0, < 0.18.0)
       cucumber (>= 8.0, < 11.0)
-      rspec-expectations (~> 3.4)
+      rspec-expectations (>= 3.4, < 5.0)
       thor (~> 1.0)
     base64 (0.3.0)
-    bigdecimal (3.2.2)
+    bigdecimal (4.1.1)
     builder (3.3.0)
-    contracts (0.17.2)
-    cucumber (10.1.0)
+    contracts (0.17.3)
+    cucumber (10.2.0)
       base64 (~> 0.2)
       builder (~> 3.2)
-      cucumber-ci-environment (> 9, < 11)
+      cucumber-ci-environment (> 9, < 12)
       cucumber-core (> 15, < 17)
-      cucumber-cucumber-expressions (> 17, < 19)
-      cucumber-html-formatter (> 20.3, < 22)
+      cucumber-cucumber-expressions (> 17, < 20)
+      cucumber-html-formatter (> 21, < 23)
       diff-lcs (~> 1.5)
       logger (~> 1.6)
       mini_mime (~> 1.1)
       multi_test (~> 1.1)
       sys-uname (~> 1.3)
-    cucumber-ci-environment (10.0.1)
-    cucumber-core (15.2.1)
-      cucumber-gherkin (> 27, < 33)
-      cucumber-messages (> 26, < 30)
-      cucumber-tag-expressions (> 5, < 7)
-    cucumber-cucumber-expressions (18.0.1)
+    cucumber-ci-environment (11.0.0)
+    cucumber-core (16.2.0)
+      cucumber-gherkin (> 36, < 40)
+      cucumber-messages (> 31, < 33)
+      cucumber-tag-expressions (> 6, < 9)
+    cucumber-cucumber-expressions (19.0.0)
       bigdecimal
-    cucumber-gherkin (32.2.0)
-      cucumber-messages (> 25, < 28)
-    cucumber-html-formatter (21.14.0)
-      cucumber-messages (> 19, < 28)
-    cucumber-messages (27.2.0)
-    cucumber-tag-expressions (6.1.2)
+    cucumber-gherkin (39.0.0)
+      cucumber-messages (>= 31, < 33)
+    cucumber-html-formatter (22.3.0)
+      cucumber-messages (> 23, < 33)
+    cucumber-messages (32.2.0)
+    cucumber-tag-expressions (8.1.0)
     diff-lcs (1.6.2)
-    faraday (2.13.4)
+    dotenv (3.2.0)
+    faraday (2.14.1)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
-    faraday-net_http (3.4.1)
-      net-http (>= 0.5.0)
-    faraday-retry (2.3.2)
+    faraday-net_http (3.4.2)
+      net-http (~> 0.5)
+    faraday-retry (2.4.0)
       faraday (~> 2.0)
-    ffi (1.17.2)
-    ffi (1.17.2-arm64-darwin)
-    fileutils (1.7.3)
-    json (2.13.2)
+    ffi (1.17.4)
+    ffi (1.17.4-arm64-darwin)
+    fileutils (1.8.0)
+    json (2.19.3)
     logger (1.7.0)
     memoist3 (1.0.0)
     mini_mime (1.1.5)
     multi_test (1.1.0)
-    net-http (0.6.0)
-      uri
+    net-http (0.9.1)
+      uri (>= 0.11.1)
     netrc (0.11.0)
     octokit (10.0.0)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
-    public_suffix (6.0.2)
-    rake (13.3.0)
-    rspec (3.13.1)
+    public_suffix (7.0.5)
+    rake (13.3.1)
+    rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.5)
+    rspec-core (3.13.6)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.5)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.5)
-    sawyer (0.9.2)
+    rspec-support (3.13.7)
+    sawyer (0.9.3)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
-    sys-uname (1.4.1)
+    sys-uname (1.5.1)
       ffi (~> 1.1)
       memoist3 (~> 1.0.0)
-    thor (1.4.0)
-    uri (1.0.3)
+    thor (1.5.0)
+    uri (1.1.1)
 
 PLATFORMS
   arm64-darwin-22
@@ -101,7 +104,6 @@ DEPENDENCIES
   aruba (~> 2.2)
   bundler (~> 2.5)
   cucumber (~> 10.1)
-  faraday-retry (~> 2.2)
   fileutils (~> 1.7)
   rake (~> 13.1)
   rspec (~> 3.12)