Release history

Changelog

Every release of Verscout, with the features, improvements, and fixes that shipped.

2.2.0

2026-04-23

New

  • **Onboarding Wizard** — 4-step first-run experience: welcome, source selection, permissions/scheduling, and "Start Scanning" completion
  • **Multi-Select & Bulk Actions** — checkbox selection on individual packages, Select All toggle, floating action bar with "Update Selected" and clear
  • **Open at Login** — LaunchAgent-based toggle in Settings to start Verscout automatically on macOS login
  • **Custom App Discovery Locations** — add folders beyond /Applications for scanning (Settings > Locations)
  • **Beta/Pre-release Toggle** — opt in to beta versions from GitHub releases and Sparkle appcast beta channels (Settings > Updates)
  • **Proxy Support** — system, manual (HTTP/HTTPS/SOCKS5), or no-proxy modes with per-field configuration (Settings > Proxy)
  • **Bundle ID Collision Registry** — detects apps sharing bundle IDs (e.g., Electron forks) and resolves aliases for apps that change identifiers across versions
  • **Team ID Verification on Downloads** — extracts and compares Apple Team IDs between installed and downloaded app versions; warns on mismatch (possible supply-chain attack)
  • **Malware/Adware Blocklist** — integrates Apple XProtect definitions and a cloud-synced blocklist; blocked apps flagged with red badges and excluded from Update All
  • **Acknowledgements Page** — credits Homebrew, Sparkle, MAS CLI, and other open-source dependencies

Improved

  • macOS compatibility filtering now walks Sparkle feeds and Cask `depends_on.macos` to find the newest version that runs on your macOS — incompatible updates shown with amber badges instead of offered for install
  • Sparkle pre-release items (beta channels and version-string patterns) are now filtered unless the pre-release toggle is on
  • Network pre-flight check uses 3 DNS hosts instead of 1 — transient DNS failure no longer blocks all updates
  • Menu bar "Scan Now" uses `evaluateJavaScript` instead of reloading WKWebView, preserving dashboard state
  • Update All timeout scales by package count (10–90 min) instead of fixed 5 minutes
  • Dashboard asset cache-busting uses startup timestamp — no more stale WKWebView JS after source edits
  • Gzip response middleware reads the body once instead of three times, halving memory allocation for large scan results
  • Process info endpoint caches `ps aux` output for 2 seconds, eliminating redundant syscalls when viewing multiple package details
  • Activity log endpoint now holds the shared file lock, preventing TOCTOU with concurrent log writes
  • Scan cache write/load errors now log at WARNING for disk-full or permission failures instead of silent DEBUG
  • CLI casks (e.g., claude-code) no longer falsely flagged as orphaned — caskroom directory check added
  • Badge and skip-button overlap resolved — switched from absolute to inline flex layout
  • Suppress/ignore/skip actions use CSRF-aware `postAction()` instead of raw fetch
  • Source validation hardened with `_SAFE_SOURCE_RE` regex whitelist
  • Command whitelist in update worker prevents cache-poisoning vector
  • AppleScript path sanitization guard now runs before escaping and blocks backtick characters
  • Rate limiting enforced on `/api/launch-app` and `/api/open-folder` endpoints
  • Duplicate `json` import removed from export route handler
  • 14 `console.debug` statements removed from production JS
  • Stale `.pyc` files for deleted modules cleaned up
  • 120+ additional code quality fixes: null guards, empty-catch handlers, f-string logger arguments, plistlib performance, request.json standardization, CSS variable usage, and WCAG labels

Fixed

  • "Update All" button showed stale count — fingerprint-based polling now detects enrichment completion
  • Sidify download URL double-encoding — absolute URLs in Electron feeds no longer re-encoded
  • Multi-source download fallback — all sources (Sparkle, Electron, GitHub) tried in sequence instead of stopping at first failure
  • Lasso false positive — Repology blocklist check added to web scraping path
  • Onboarding "Scan Now" called undefined `runScan()` — fixed to `startScan()`
  • Double window open on activation — debounce added to AppKit observer
  • Stats disk usage empty — `compute_disk_usage()` now includes pre-enriched `size_bytes`
  • Constrained text overflow — name column truncates with ellipsis
  • Marketing download button empty href — `release-content.ts` fallback added
  • Web SaaS webhook_events missing GRANT — dedup was broken

2.1.0

2026-04-01

New

  • **macOS Notifications** — scan completion, security alerts, and auto-update results now post native notifications
  • **Security Vulnerability Alerts** — immediate notification when packages have known CVEs
  • **Auto-Update Notifications** — confirmation when packages are updated automatically

Improved

  • Scheduler passes settings context to auto-update flow for notification preferences
  • Notification text includes correct singular/plural grammar

2.0.0

2026-03-31

New

  • **Trust & Safety Checks** — code signing verification, revoked certificate detection, XProtect blocklist matching
  • **Compatibility Warnings** — flags updates that drop Intel support or require newer macOS
  • **Duplicate Resolution** — finds apps installed via multiple sources and recommends which to keep
  • **Deep Find Scanner** — discovers JDKs, CLI tools, pref panes, frameworks, drivers, launch items, kernel/system extensions, and browser add-ons
  • **Tool Registry** — browse and search the full Homebrew Cask + Formulae catalog from within the app
  • **App Catalog** — discover new apps with curated categories and one-click install
  • **Version Database** — cloud-backed version intelligence for 5,500+ apps
  • **Analytics Dashboard** — update trends, staleness metrics, and disk usage analysis
  • **iCloud Sync** — sync settings, pins, and schedules across Macs
  • **Menu Bar Packaging** — new sidebar for cleaner navigation and more screen real estate

Improved

  • Scan engine rewritten: 12 sources (Brew, Cask, pip, npm, App Store, Setapp, Adobe, Microsoft, JetBrains, iOS App, System, Standalone)
  • Conflict resolution for packages available from multiple managers
  • Brew-to-pip and pip-to-brew migration suggestions
  • Enhanced error messages with actionable troubleshooting steps
  • CSRF protection on all mutation endpoints
  • CSP, X-Frame-Options, and other security headers on responses

1.5.0

2026-02-15

New

  • **Standalone Update Engine** — direct downloads for apps not managed by any package manager
  • **Sparkle Feed Support** — read update info from in-app Sparkle/Squirrel feeds
  • **GitHub Release Tracking** — version checks against GitHub releases for open-source apps
  • **Web Scraping Fallback** — homepage and changelog page scraping for version detection

Improved

  • Scan speed improved 3x with parallel source checks
  • Better handling of apps with non-standard bundle IDs
  • Reduced false positives for App Store apps with pending updates

1.0.0

2026-01-10

New

  • Initial release
  • Homebrew Brew + Cask scanning
  • pip and npm package scanning
  • App Store update detection
  • One-click update for Brew/Cask/pip/npm packages
  • Batch update with progress tracking
  • Pin versions to skip specific updates
  • Schedule automatic scans (hourly, daily, weekly)
  • Light and dark theme support
  • Local-first architecture — no data collection, no accounts required