21 Apr 12:19

8d3d825

v0.4.0 Latest

Latest

ccmd v0.4.0

Three new providers (17 → 20), a new provider-trait extension point (pre_delete), and paste-ready upgrade snippets for Maven & Gradle. Focus of this release is closing the macOS developer-cache gap (Xcode DerivedData, SwiftPM) and shipping the first new package-manager ecosystem with full OSV + version-check coverage since v0.3.1 (Go).

Added

Go provider (#8) — module cache ($GOMODCACHE, default ~/go/pkg/mod) and build cache ($GOCACHE). Full pipeline: OSV Go scanning, version-check against proxy.golang.org /@v/list (filters pseudo-versions and +incompatible), and go get <mod>@<ver> upgrade command on c. Module-path bang-escapes (!uber → Uber) are decoded at semantic_name/package_id time so OSV sees the real path. Module cache is Safe; build cache is Caution.
providers::pre_delete hook — new dispatch letting providers prepare a subtree before remove_dir_all. Default is a no-op so existing providers are unaffected. The Go provider implements it to chmod -R +w its module tree — Go chmod -w's extracted modules by design, and without the hook remove_dir_all silently fails. Reusable seam for future providers that need xattr strip, watcher pause, or file-handle release.
SwiftPM provider (#11) — detects ~/Library/Caches/org.swift.swiftpm (macOS) / ~/.cache/org.swift.swiftpm (Linux). repositories/ is Caution (re-clone cost), artifacts/ + manifests/ are Safe. Repository directories render with the trailing git-URL hash stripped. Disk-hygiene only — no OSV (SwiftURL coverage is sparse) and no upgrade command (Swift package upgrades are project-local, not cache-entry operations).
Xcode provider (#17) — detects DerivedData, iOS DeviceSupport, and CoreSimulator Caches. Often the single largest caches on macOS dev machines (DerivedData is routinely 50–200 GB). DerivedData is Caution (rebuild takes 5–30 min); the other two are Safe. DerivedData project directories surface the original workspace path from Info.plist in the detail panel.
Maven / Gradle upgrade snippets — c on a Maven or Gradle artifact now copies a paste-ready snippet (<dependency>…</dependency> for Maven, implementation 'group:artifact:version' for Gradle). Previously a silent no-op.

Fixed

Dropped duplicate MCP screenshots at repo root (~150 KiB per published crate tarball); README now points at docs/ccmd-mcp-*.png.
README screenshot reference switched to the GitHub raw URL so it renders on the crates.io page.
Rust MSRV badge corrected from 1.85 to 1.88.

Installation

brew install juliensimon/tap/ccmd        # macOS / Linux (includes MCP)
cargo install ccmd --features mcp        # from crates.io
cargo binstall ccmd                      # prebuilt, via binstall

See the release assets below for standalone macOS (x86_64 / arm64) and Linux (x86_64 / aarch64) tarballs, and .deb packages for Debian/Ubuntu.

Assets 9

17 Apr 16:22

github-actions

v0.3.1

d5d3120

v0.3.1

Highlights

Three headline features on top of the Opus 4.7 code-review pass:

JVM ecosystem support (#25) — new Maven and Gradle cache providers. ~/.m2/repository and ~/.gradle/caches auto-detected. Gradle's files-2.1 layout parsed; both share the OSV Maven ecosystem for CVE scanning. Maven Central version-check prefers <release> over <latest>. Upgrade-command copy not yet wired for mvn/gradle.
Startup version check (#26) — ccmd now checks GitHub for newer releases at launch. Bottom bar shows ↑ ccmd X.Y.Z available when you're out of date. Background thread, 24 h cache, opt-out via --no-update-check, CCMD_NO_UPDATE_CHECK=1, or [updater] enabled = false. Pre-release builds suppressed.
Persistent scan cache (#27) — OSV and registry results cached to <cache-dir>/{vuln,version}_cache.json with a 24 h TTL. Atomic save + prune-expired; cache-hit % surfaced in the status bar.

Fixed

Opus 4.7 code-review pass: 7 HIGH + 10 MEDIUM + 8 LOW findings (TOCTOU in MCP delete, pnpm multi-byte filename panic, status-message clobbering under concurrent scans, and more).
rustls-webpki → 0.103.12 for RUSTSEC-2026-0098/0099.
Stable clippy 1.95 + MSRV (1.88) CI.

Changed

send_scan_request helper with a scanner_dead flag replaces 11 silent let _ = scan_tx.send(...) sites; scanner death now surfaces in the status bar.
Config::default_for_test() skips subprocess probes (tests no longer coupled to host-tool availability).

Tests & infrastructure

~+100 tests (1495 → 1736+). Project coverage ≥ 93%.
MSRV (1.88) CI job, nightly `--features e2e` cron, E2E JVM providers job.
Mocked HTTP for OSV + registry via a self-contained `TcpListener` helper (no new dev-deps).

Install

```bash

Homebrew (macOS / Linux)

brew upgrade ccmd

crates.io

cargo install ccmd

Debian / Ubuntu

curl -LO https://github.com/juliensimon/cache-commander/releases/download/v0.3.1/ccmd-x86_64-unknown-linux-gnu.deb
sudo dpkg -i ccmd-x86_64-unknown-linux-gnu.deb
```

Full diff: v0.3.0...v0.3.1

Assets 9

10 Apr 17:41

github-actions

v0.3.0

5b5b03c

v0.3.0

v0.3.0 — JavaScript ecosystem providers

New Features

Yarn provider — Classic (.yarn-cache) and Berry (.yarn/berry/cache) with auto-detection
pnpm provider — v9 and v10 store layouts, XDG paths, auto-detection via pnpm store path
Bun provider — .bun/install/cache with env var support; npm ecosystem for vuln/version checks
Auto-detection of Yarn, pnpm, and Bun cache paths at startup

Improvements

Strip Bun dedup suffix (@@@n) for correct vulnerability and version scanning
5-second timeout on yarn/pnpm subprocess probes to prevent TUI blocking
Char-aware name truncation in tree panel
CI actions pinned to commit SHAs
Man page and docs updated with all 15 supported providers

Testing

E2E test suite with real Yarn and pnpm tooling
1222 tests (up from ~900 in v0.2.0)

Install

# Homebrew
brew update && brew upgrade ccmd

# crates.io
cargo install ccmd

# macOS (Apple Silicon)
curl -LO https://github.com/juliensimon/cache-commander/releases/download/v0.3.0/ccmd-aarch64-apple-darwin.tar.gz
tar xzf ccmd-aarch64-apple-darwin.tar.gz && sudo mv ccmd /usr/local/bin/

# Linux .deb (x86_64)
curl -LO https://github.com/juliensimon/cache-commander/releases/download/v0.3.0/ccmd-x86_64-unknown-linux-gnu.deb
sudo dpkg -i ccmd-x86_64-unknown-linux-gnu.deb

Contributors

Assets 9

10 Apr 17:18

github-actions

v0.3.0-rc1

4145360

v0.3.0-rc1 Pre-release

Pre-release

v0.3.0-rc1 — JavaScript ecosystem providers

New Features

Yarn provider — supports both Classic (~~/.yarn-cache) and Berry (~~/.yarn/berry/cache) layouts, with automatic cache path detection via yarn cache dir / yarn config get cacheFolder
pnpm provider — supports v9 and v10 store layouts, XDG paths, with automatic detection via pnpm store path
Bun provider — detects ~/.bun/install/cache with BUN_INSTALL_CACHE_DIR / BUN_INSTALL env var support; uses npm ecosystem for vulnerability scanning and version checking
Auto-detection of Yarn, pnpm, and Bun cache paths at startup

Improvements

Add 5-second timeout to yarn/pnpm subprocess probes to prevent TUI blocking
Fix char-aware name truncation in tree panel (prevents potential panic on multi-byte names)
Pin all CI actions to commit SHAs
Man page and docs updated with all 15 supported providers

Testing

E2E test suite with real Yarn and pnpm tooling
Adversarial tests for parser edge cases and provider detection collisions
1212 tests total (up from ~900 in v0.2.0)

Install

# From crates.io
cargo install ccmd@0.3.0-rc1

# macOS (Apple Silicon)
curl -LO https://github.com/juliensimon/cache-commander/releases/download/v0.3.0-rc1/ccmd-aarch64-apple-darwin.tar.gz
tar xzf ccmd-aarch64-apple-darwin.tar.gz && sudo mv ccmd /usr/local/bin/

# Linux .deb (x86_64)
curl -LO https://github.com/juliensimon/cache-commander/releases/download/v0.3.0-rc1/ccmd-x86_64-unknown-linux-gnu.deb
sudo dpkg -i ccmd-x86_64-unknown-linux-gnu.deb

Assets 9

07 Apr 12:19

github-actions

v0.2.0

fa2b4a8

v0.2.0

v0.2.0 — MCP Server, Security Hardening

Features

MCP server — ccmd mcp starts an MCP (Model Context Protocol) server for AI assistant integration. 8 tools: list_caches, get_summary, search_packages, get_package_details, scan_vulnerabilities, check_outdated, preview_delete, delete_packages. Ecosystem aliases, fuzzy matching, path traversal protection.
.deb packages — Linux releases now include .deb packages with man page and binary for x86_64 and aarch64.
Author and repo URL in --help output.
All release binaries include MCP support.

Security & Hardening

Mutex poisoning recovery — vulnerability/version scanning no longer crashes on worker thread failure.
Shell metacharacter sanitization in upgrade commands.
User-Agent uses CARGO_PKG_VERSION and correct repository URL.
Empty version strings rejected from all registry parsers.
brew outdated exit status checked before parsing.
rust-version = "1.85" enforced.
CI hardened: cargo-deny, SHA-pinned actions, build provenance attestation.

Changed

CI tests, checks, and lints with --features mcp.
Release pipeline supports pre-release tags.
Homebrew tap auto-updated on stable releases.

Install

brew tap juliensimon/tap && brew install ccmd    # Homebrew
cargo install ccmd                                # crates.io (TUI only)
cargo install ccmd --features mcp                 # crates.io (with MCP)