What's New

New Languages

• Vue SFC parsing — .vue Single File Components with <script> / <script setup> extraction and lang="ts" detection
• Solidity support — full parsing for .sol files (functions, events, modifiers, inheritance)

New Features

• find_large_functions_tool — new MCP tool to find functions/classes/files exceeding a line-count threshold
• Call target resolution — bare call targets resolved to qualified names using same-file definitions, improving callers_of/callees_of accuracy
• Multi-word AND search — search_nodes now requires all words to match (stricter, more precise)
• Impact radius pagination — get_impact_radius returns truncated flag, total_impacted count, and accepts max_results parameter

Security & Robustness (v1.8.3)

• Parser recursion guard (_MAX_AST_DEPTH = 180)
• Module cache bound (_MODULE_CACHE_MAX = 15,000)
• Embeddings thread safety + Gemini API retry with exponential backoff
• Visualization XSS hardening
• Configurable git timeout via CRG_GIT_TIMEOUT env var

Documentation

• All docs updated: 14 languages, 9 MCP tools, accurate version references
• VS Code extension updated to v0.2.0 with all 13 commands documented
• Added CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md

Install / Upgrade

pip install --upgrade code-review-graph

Full Changelog: https://github.com/tirth8205/code-review-graph/blob/main/CHANGELOG.md

Fixed

• C# parsing broken: Renamed language identifier from c_sharp to csharp to match tree-sitter-language-pack's actual identifier. Previously, all C# files were silently skipped because _get_parser() swallowed the LookupError.

3 previously-skipped C# tests now pass (111 total, 0 skipped).

Fixes missing max_nodes parameter in get_impact_radius method signature and updates test assertion for expanded .gitignore format. No functional changes beyond v1.8.0.

Security Release

This release addresses 12 security findings from a comprehensive pre-launch audit.

Security Fixes

• Prompt injection mitigation — node names sanitized before MCP tool responses
• Path traversal protection — repo_root validated as a project directory
• VSCode RCE fix — cliPath locked to machine-level settings only
• XSS fix — visualization HTML escapes quotes and backticks
• SRI for CDN — D3.js loaded with integrity hash
• Secure nonces — crypto.randomBytes() replaces Math.random()
• Symlink protection — symlinks skipped in build and watch mode
• TOCTOU fix — file read once, hash and parse from same buffer

Reliability Fixes

• Thread-safe NetworkX cache with threading.Lock
• BFS capped at 500 nodes to prevent resource exhaustion
• SQL IN clause batched to respect SQLite parameter limits
• Dependency version upper bounds pinned

See CHANGELOG.md for full details.

Fixes

• Watch mode thread safety: SQLite connections now use check_same_thread=False for Python 3.10/3.11 compatibility with watchdog's background threads
• Full rebuild stale data: full_build now purges nodes/edges from files deleted since last build
• Removed unused dependency: gitpython was listed in dependencies but never imported — removed to shrink install footprint
• Stale Docker reference: Removed non-existent Docker image suggestion from Python version check
• Malformed .mcp.json handling: Now warns before overwriting instead of silently replacing
• Documentation fixes: Corrected stale docstring, grammar, and install commands across docs

Install / Upgrade

# Claude Code plugin (recommended)
claude plugin add tirth8205/code-review-graph

# pip
pip install --upgrade code-review-graph

Full Changelog: v1.7.1...v1.7.2

What's New

Install Command

pip install code-review-graph
code-review-graph install

New install command as the primary entry point. init remains as a backwards-compatible alias. Supports --dry-run to preview changes.

Benchmarked README

README rewrite with real benchmark data from 3 production repos (httpx, FastAPI, Next.js):

• Code reviews: 6.8x fewer tokens on average
• Live coding tasks: 14.1x average, up to 49x on large monorepos

Automatic PyPI Publishing

GitHub releases now automatically publish to PyPI.

Docs

All documentation updated for v1.7.1. Professional tone throughout.

Full Changelog: v1.6.4...v1.7.1

v1.6.3

• SessionStart hook: Claude Code now automatically prefers graph tools over full codebase scans, saving tokens on every query
• Fixed plugin.json schema for official marketplace submission (keywords, homepage, author URL)
• Removed screenshot placeholders from README

v1.6.2

24 Audit Fixes

• Critical: Incremental hash comparison bug — file_hash read from wrong field, causing every file to re-parse
• Parser: C/C++ support — full node extraction (structs, classes, functions, includes, calls, inheritance)
• Parser: name extraction fixes for Kotlin/Swift (simple_identifier), Ruby (constant), C/C++ nested function_declarator
• Performance: NetworkX graph caching, batch edge queries, chunked embedding search, git subprocess timeouts
• CI hardening: Coverage enforcement (50%), bandit security scanning, mypy type checking
• Tests: +40 new tests for incremental updates, embeddings, and 7 new language fixtures
• Docs: API response schemas, ignore pattern documentation, fixed hook config reference
• Accessibility: ARIA labels throughout D3.js visualization

See CHANGELOG.md for full details.

What's New

File Organization

• All generated files now live in .code-review-graph/ directory instead of cluttering repo root
• Auto-created .gitignore inside the directory prevents accidental commits
• Automatic migration from legacy .code-review-graph.db at repo root

Visualization Density

• Start collapsed: Only File nodes visible on load — click to expand children
• Search bar: Filter nodes by name or qualified name in real-time
• Edge type toggles: Click legend items to show/hide Calls, Imports, Inherits, Contains
• Scale-aware layout: Force simulation adapts for large graphs (300+ nodes)

Project Cleanup

• Removed redundant references/ directory (was duplicate of docs/)
• Removed unused agents/ directory and settings.json
• Updated all documentation for new paths

Path Changes

Existing databases are automatically migrated on first run.

Full Changelog: v1.4.0...v1.5.0

What's New

Added

• Universal installation: now works with pip install code-review-graph[embeddings] on Python 3.10+
• CLI entry point (code-review-graph command works after normal pip install)
• Clear Python version check with helpful Docker fallback for older Python users
• Improved README installation section with one-command + Docker option

Changed

• Minimum Python requirement lowered from 3.11 → 3.10 (covers ~90% of users)

Fixed

• Installation friction for most developers

Install

pip install code-review-graph==1.3.0

PyPI: https://pypi.org/project/code-review-graph/1.3.0/