chore(main): release 1.6.0

[ben-ranford]

🤖 I have created a release beep boop

1.6.0 (2026-06-11)

Features

• mcp: add stdio server tools (01d38ae)
• report: add baseline, provenance, and runtime context (#977) (0faf079)
• report: use non-relative impact signal (2acb8b0)
• vscode: add multi-root analysis workflows (#978) (f72c0b5)

Bug Fixes

• cli: support output files outside dashboard (d277fa3)
• codemod: preserve mixed newlines when applying suggestions (b65b276)
• core: harden config, path, and output trust boundaries (#976) (169988a)
• dart: harden Dart import parser comments (f9b743d)
• dart: honor raw string and block comment imports (#968) (af1c2bc)
• dashboard: preserve repo identity for duplicates (62a4fe3)
• deps: update module golang.org/x/mod to v0.37.0 (#981) (54beddf)
• dotnet: ignore commented imports and package refs (9d76b72)
• dotnet: ignore commented imports and package refs (#970) (02a4123)
• jvm: harden JVM and Kotlin scan paths (a8f2a6f)
• jvm: harden JVM and Kotlin scan paths (#973) (a87435b)
• lang: harden python and elixir manifest parsing (72adaaa)
• lang: harden python and elixir manifest parsing (#969) (ced1ad6)
• lang: parse manifests with structured parsers (7578657)
• lang: scan hoisted js and go monorepo sources (11024bd)
• mcp: align tool schemas with accepted inputs (9f7e598)
• policy: clear Sonar parameter-count issues (#975) (87506b9)
• policy: preserve explicit clears and upstream deny state (620634f)
• policy: preserve explicit clears and upstream deny state (#972) (3ca5e1c)
• powershell: tighten requires directive matching (a939edb)
• powershell: tighten requires parsing (#967) (617f5d0)
• release: harden workflow release config (6098a6b)
• rust: harden import and workspace parsing (31fd3ca)
• rust: harden import and workspace parsing (#971) (a27d9ef)
• tui: reuse loaded summary for detail open (58cf28d)
• vscode: avoid sync filesystem reads on save (8454dc4)
• vscode: harden lopper execution and managed installs (338ddba)
• vscode: parallelize codemod refresh analysis (012a865)

Code Refactoring

• analysis: derive report metrics before formatting (74eec6d)
• app: split lockfile drift seams (cc5b617)
• js: split adapter dependency seams (ac907e1)
• lang: centralize dependency report weights (2948bc3)
• lang: delegate resolver defaults and enable dupl (1dc5d46)
• lang: route root signals through shared helper (cbb55eb)
• lang: standardize adapter file names (dfeee59)
• language: return report result from adapters (f167837)
• language: use analysis options for adapters (240f29d)
• policy: collapse optional pair helpers (87506b9)
• report: use non-relative impact signal (2acb8b0)
• report: use text templates for table sections (5ec24b4)
• safeio: introduce filesystem interface (556adaa)
• tests: rename coverage sweep files by behavior (03472f3)

---

This PR was generated with Release Please. See documentation.

[github-actions]

Release feature flags

This release PR is preparing v1.6.0.

Feature flags

• Channel: release
• Release: v1.6.0

Stable by default

• LOP-FEAT-0001 dart-source-attribution-preview - Enable richer Dart and Flutter dependency source attribution and federated plugin relationship reporting.
• LOP-FEAT-0002 lockfile-drift-ecosystem-expansion-preview - Preview expansion of shared lockfile drift checks for .NET, Dart, Elixir, and SwiftPM ecosystems.
• LOP-FEAT-0003 swift-carthage-preview - Enable Carthage dependency parsing for the Swift adapter.
• LOP-FEAT-0004 powershell-adapter-preview - Enable preview support for the PowerShell language adapter.
• LOP-FEAT-0005 go-vendored-provenance-preview - Enable vendored dependency provenance for Go using vendor/modules.txt metadata.

Preview available by opt-in

• LOP-FEAT-0006 baseline-provenance-runtime-context-preview - Enable baseline comparison, policy provenance, and runtime parent/entrypoint context in reports and dashboard views.
• LOP-FEAT-0007 vscode-multi-root-workflows-preview - Enable multi-root VS Code analysis workflows, dependency explorer detail views, baseline commands, and export commands.
• LOP-FEAT-0008 mcp-server-preview - Enable the local stdio MCP server for read-only dependency analysis workflows.

Preview locked default-on for this release

None.

Newly added preview flags since previous release

• LOP-FEAT-0006 baseline-provenance-runtime-context-preview
• LOP-FEAT-0007 vscode-multi-root-workflows-preview
• LOP-FEAT-0008 mcp-server-preview

Promotion options

• Ship a preview flag default-on only in v1.6.0 by editing internal/featureflags/release_locks.json.
• Graduate a preview flag for future releases with graduate-feature.yml using the feature code or name, then merge that PR before publishing v1.6.0.

Graduation candidates

• LOP-FEAT-0006 baseline-provenance-runtime-context-preview - Enable baseline comparison, policy provenance, and runtime parent/entrypoint context in reports and dashboard views.
• LOP-FEAT-0007 vscode-multi-root-workflows-preview - Enable multi-root VS Code analysis workflows, dependency explorer detail views, baseline commands, and export commands.
• LOP-FEAT-0008 mcp-server-preview - Enable the local stdio MCP server for read-only dependency analysis workflows.

[Copilot]

Pull request overview

Release PR for v1.5.5 generated by Release Please, updating version metadata and changelogs to publish the next patch release (which includes the manifest parsing hardening from #969).

Changes:

• Bump VS Code extension version to 1.5.5 (package.json + package-lock.json).
• Add 1.5.5 entry to the VS Code extension changelog referencing the bug fix.
• Update .release-please-manifest.json to 1.5.5.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
extensions/vscode-lopper/package.json	Bumps VS Code extension version to 1.5.5.
extensions/vscode-lopper/package-lock.json	Keeps lockfile metadata in sync with the 1.5.5 extension version.
extensions/vscode-lopper/CHANGELOG.md	Adds the 1.5.5 release notes entry.
.release-please-manifest.json	Updates Release Please manifest version to 1.5.5.

Files not reviewed (1)

• extensions/vscode-lopper/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Memory Benchmarks

Thresholds: bytes/op <= +15.0%, allocs/op <= +10.0%

Benchmark	Base B/op	Head B/op	Delta B/op	Base allocs/op	Head allocs/op	Delta allocs/op	Status
github.com/ben-ranford/lopper/internal/lang/shared/BenchmarkCountUsage	25632.3	25632.0	-0.0%	375.0	375.0	+0.0%	ok
github.com/ben-ranford/lopper/internal/lang/shared/BenchmarkCountUsageRegexPerIdentifier	414127.3	415892.7	+0.4%	3067.0	3067.3	+0.0%	ok
github.com/ben-ranford/lopper/internal/report/BenchmarkFormatLargeTable	256575.3	256584.7	+0.0%	3079.0	3079.0	+0.0%	ok

Result: memory benchmark gate passed.

Approval: not required.

[github-actions]

Lopper (Delta)

Metric delta	Value
Dependency count	+0
Used percent	+0.0%
Waste percent	+0.0%
Estimated unused bytes	+0 B
Known licenses	+0
Unknown licenses	+0
Denied licenses	+0

Changed	Regressions	Progressions	Added	Removed	Unchanged
0	0	0	0	0	9

No dependency-surface deltas detected.

[github-actions]

SonarQube (PR)

Open issues: 0
Actionable issues shown (excluding mock/fixture files): 0

Duplication

• Overall duplicated lines: 768
• Overall duplication density: 0.60%
• New duplicated lines: n/a
• New duplication density: n/a

Issues

Open Sonar issues (0)

#	Severity	Rule	Location	Message
-	-	-	-	No open Sonar issues for this PR.

Source: SonarCloud PR view

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud