All notable changes to the Git Identity Switcher extension will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Windows SSH key path validation (#492): Windows users entering drive letter paths (
C:/...orC:\...) now receive a clear error message guiding them to use the cross-platform~/.ssh/format instead of a generic "Invalid SSH key path" error - Config schema consistency:
configSchema.tsnow rejects Windows drive letter paths at the schema level, consistent with all other validation layers
- Localization: Added SSH key path guidance message in all 17 supported languages
- Gitleaks secret detection: Added gitleaks v8.30.1 for multi-layered secret scanning via pre-commit hook and CI job with SHA256 checksum verification
- Gitleaks badge: Added Gitleaks badge to the root README, extension README, and all 26 localized READMEs
- .gitignore security baseline: Rewrote .gitignore with comprehensive secret insurance patterns (
**/prefix, credential files, key files) and project-specific negation for extension.vscode/dev configs - Workflow hardening: Added
persist-credentials: falseto all 8 checkout steps insecurity.yml
- Legitify integration (full revert): Removed the Legitify SCM posture audit introduced in 0.19.3. Legitify (both v1.0.11 and the post-v1.0.11 main branch at
038aa49) explicitly rejects fine-grained PATs (GitHub fine-grained tokens are not supported at this moment, please use classic PAT). Switching to a classic PAT would broaden the token's blast radius beyond the minimum-privilege principle this repository follows. All Legitify references have been removed: thelegitify-analyzejob insecurity.yml, the Legitify badge across the root README, the extension README, and all 26 localized READMEs, as well as the SCM_TOKEN entries in SECURITY.md and the sekimori-ishi entry in GOVERNANCE.md
- Legitify SCM Posture Audit badge: Added static Legitify badge to the root README, extension README, and all 26 localized READMEs, reflecting the weekly SCM configuration audit now running as part of the security workflow
- Legitify workflow failure: Pinned
Legit-Labs/legitifyto post-v1.0.11 main SHA (038aa49). v1.0.11 (2024-07-09) fails on the current GitHub Actions runtime because its composite action pullscodeql-actioninternals that depend on the deprecatedactions/upload-artifact@v3. The upstream fix landed on main (PR #333, 2024-09-11) but no new tag has been published
- Snyk badge: Replace broken
snyk.io/test/github/*/badge.svgendpoint (HTTP 410 Gone) with a static shields.io "Snyk monitored" badge linking to snyk.io
- Badge display: Replace broken VS Code Marketplace version badge with Open VSX Registry badge after shields.io permanently dropped Marketplace support (badges/shields#11796)
- Webview CSP hardening: Tightened
img-srcfrom wildcard to explicitassets.nullvariant.comsubdomain (#462) - Link scheme allowlist: Externalized
linkInterceptScriptand restricted navigable href schemes tohttp:,https:, and fragment-only (#460) - SanitizedHtml branded type: Introduced a compile-time brand on pre-sanitized HTML content so
buildDocumentHtmlcannot accept a rawstring(#455) - Webview fail-safe fallback: Hardened CSP construction with
CspValidationErrorand a fail-closed error page when CSP assembly fails (#453) - Input length guard: Added input length limit and field name validation to
toFieldError(#444)
- Defense-in-depth nonce/lang validation:
buildHtmlShellnow validates nonce format and lang tag at the template boundary, throwingCspValidationErroron invalid input (#457) - npm namespace placeholder: Published
@nullvariant/git-id-switcherplaceholder package to prevent name squatting (#422) - DCO enforcement: Added Developer Certificate of Origin check workflow for all PRs (#425)
- CI auto-approval: Justice bot now auto-approves PRs that pass all CI checks (#430)
- Coverage thresholds: Enforced c8 statement/branch/function/line thresholds via
.c8rc.json(#434) - Allstar policy: Added OpenSSF Allstar security policy configuration (#413)
- Snyk integration: Added Snyk policy, vulnerability badge, and documented in SECURITY.md (#416)
- FOSSA integration: Added FOSSA license/security badges and documented in SECURITY.md (#424, #426)
- Webview a11y: Improved landmark structure, focus management, ARIA attributes, and forced-colors support in all webview templates (#446, #456)
- Markdown tooltip escaping: Escape Markdown special characters in status bar tooltip user values (#406)
- htmlTemplates directory split: Decomposed monolithic
htmlTemplates.tsintoshell.ts,document.ts,loading.ts,error.ts,baseStyles.ts,csp.ts,linkIntercept.ts, andtypes.ts(#447, #458, #459) - Design tokens round two: Added six new tokens (
--gis-width-readable,--gis-line-height-doc,--gis-border-emphasis,--gis-pad-code,--gis-spinner-size,--gis-spinner-border), renamed--gis-pad-*→--gis-size-*, and eliminated all remaining magic numbers from templates - Design tokens round one: Scoped webview body overrides by
body.gis-*class and introduced initial--gis-border-subtle/--gis-space-*/--gis-pad-*token set (#448) - Webview template extraction: Extracted pure HTML template functions from webview provider for independent testability (#405)
- identityManager split: Split
identityManager.ts(1181 → 4 modules) intoidentityAddForm.ts,identityEditFlow.ts,identityFormUtils.ts,identityFormValidation.ts(#401) - Validation types module: Split Phase 4 Unified Validation Types into dedicated
validation-types.ts(#403) - Logging consolidation: Replaced all
console.log/error/warn/debugwithOutputChannel-basedextensionLogger, added disposed guard (#431, #438, #441) - secureLogPath extraction: Separated log path validation into dedicated
secureLogPath.ts(#432) - AddFormState derivation: Derived
AddFormStatefromIdentitytype and removedGenericQuickPickwrapper (#412) - Narrowed ESLint exception: Restricted htmlTemplates
varallowance tocsp.tsonly (#461)
- Branch coverage expansion: Added tests for
securityLoggerandconfigChangeDetectorbranch paths (#411) - Cross-OS path sanitization: Added
getSafeStacktests for Windows/macOS/Linux path formats (#404) - Assertion quality: Improved assertion specificity in
errors.test.tsandidentityManager.test.ts(#408, #442)
- Identity validation caching:
getIdentitiesWithValidation()now caches validated results in a module-level variable, avoiding redundant VS Code config reads and schema validation on every call. Cache is automatically invalidated on configuration change viaonDidChangeConfiguration - Config change detection:
valuesEqual()inConfigChangeDetectornow returnsfalse(changed) for large objects exceedingMAX_STRINGIFY_SIZE, instead of the previous length-based heuristic that could miss same-length but different-content objects - Renamed
resetValidationNotificationFlag()toinvalidateIdentityCache()to reflect its expanded responsibility (cache invalidation + notification flag reset)
- Deprecated aliases removed (BREAKING for consumers importing these symbols directly):
isPathSafe— useisShellSafePathinsteadisSecurePath— usevalidatePathSecurityinsteadvalidateNoControlChars— usecontrolCharValidatorinsteadvalidateNoInvisibleUnicode— useinvisibleUnicodeValidatorinsteadisKeyLoaded— usecheckKeyLoadedInAgentinsteadgetGitAuthorFlag()— useformatGitAuthor()with template literal instead
- UI module split (via #401): Split
identityManager.ts(1181 lines) into 4 responsibility-based modules:identityAddForm.ts,identityEditFlow.ts,identityFormUtils.ts,identityFormValidation.ts
- Restore fork editor compatibility: Reverted
engines.vscodefrom^1.109.0to^1.85.0. The 1.109.0 requirement was introduced by a Dependabot@types/vscodebump in v0.16.20, but no APIs newer than 1.85.0 are actually used. This made v0.16.20+ invisible on Cursor, Windsurf, Antigravity, TRAE, and other VS Code forks whose engine version lags behind VS Code stable - Prevent future
@types/vscodeauto-bumps: Added@types/vscodeto both Dependabot ignore list and Renovate ignoreDeps to preventengines.vscodefrom being silently raised again
- Sync Check: Real-time detection of mismatches between the selected profile and actual git config (
user.name,user.email,user.signingkey). When a mismatch is detected, the status bar shows a⚠️ warning with a clickable resolution flow (re-apply, select different profile, or dismiss) - Sync Check settings:
syncCheck.enabled(default:true) andsyncCheck.onFocusReturn(default:true) to control sync check behavior - Event-driven sync check: Automatically runs on profile apply, workspace folder change, configuration change, and window focus return (debounced 500ms)
- Localization: All sync check UI strings translated to 17 languages (
package.nlsandl10n/bundle.l10n)
- Webview CSP hardening: Removed
'unsafe-inline'fromstyle-srcdirective and migrated all inline<style>tags to nonce-based CSP, matching the existing nonce-onlyscript-srcpolicy
- Semgrep OpenSSF Scorecard regression: Reverted from
pip install semgrepto SHA-pinned Docker action to restore Pinned-Dependencies score; added.semgrepignorefor SonarCloud Action SHA pin false positive
- Supply chain badges: Added Sigstore (Cosign Signed) and SBOM (CycloneDX) badges to all 26 language READMEs and repository root README
- Supply Chain Security: Added Cosign keyless VSIX signing, CycloneDX SBOM generation with attestation, and Trivy pre-publish vulnerability scan to the release pipeline
- Dependency Review: Added license allowlist and CVE check for PRs via
dependency-review-action - Static Analysis: Added Semgrep SAST (p/typescript, p/security-audit, p/secrets) and Socket.dev npm supply chain risk detection
- Anti-Impersonation: Added Extension Fingerprint section to README, package.json URL validation in CI, and typosquat reporting procedure to SECURITY.md
- STRIDE Threat Model: New
docs/THREAT_MODEL.mdmapping all existing security mitigations to STRIDE categories (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) - Webview CSP Policy: Documented nonce-based Content Security Policy for future Webview use in
docs/ARCHITECTURE.md - Extension Capabilities: Documented granted and explicitly denied capabilities in
docs/ARCHITECTURE.md - OpenVEX Declaration: New
.vex/vex.jsondeclaring zero production dependencies (devDependency CVEs do not affect end users)
- Switch to X-Extension-Id custom header for analytics classification: The User-Agent approach in 0.16.18 was ineffective because Node.js
fetch()overrides User-Agent to"node". Now usesX-Extension-Id: git-id-switchercustom header, which the assets worker forwards to the analytics worker for correct VSCODE/is_likely_human=1 classification.
- Add User-Agent header to Webview documentation fetch requests: Node.js fetch in the extension host doesn't include VSCode's User-Agent (
Code/x.y.z), causing Cloudflare analytics worker to classify documentation access asOTHER/is_likely_human=0. Now sendsCode/${vscode.version} git-id-switcherto match existingclassifyTrafficdetection rules.
0.16.17 - 2026-02-07
- All 26 i18n READMEs restructured to match new ja/en format:
- Added Profile Management UI section (add/edit/delete/reorder/SSH key path)
- Added SSH Key Management section with IdentitiesOnly explanation
- Improved Quick Start guide with first-ux image and UI-first approach
- Expanded Troubleshooting section with new entries
- Added Delete Identity command to Commands table
- Removed obsolete sections (old Step 4, GPG-only section, "Note: Basic Setup")
- Updated all screenshot references from old PNG to new per-language WebP format
- Maintained culturally appropriate sample profile names per language
- Languages: en, ja, zh-CN, zh-TW, ko, de, fr, es, pt-BR, it, ru, pl, tr, cs, hu, bg, uk, haw, ain, ryu, tlh, tok, eo, x-pirate, x-lolcat, x-shakespeare
0.16.16 - 2026-02-07
- L10n key split and Japanese terminology unification:
- Split
'Select Identity'into separate keys for status bar (Select Identity) and QuickPick (Select an identity) to enable context-appropriate translations - Fixed 7 Japanese translations: unified "ID" to "Profile" for normal UI (notifications, dialogs, placeholders) while keeping "ID" for compact status bar area
- Added 5 missing l10n keys across all 16 languages:
Select an identity, workspace trust warnings (2), validation error notifications (2) - All 16 bundles now have 98 keys, perfectly matching source
l10n.t()calls
- Split
0.16.15 - 2026-02-05
- L10n bundle cleanup and key unification:
- Removed ~24 unused keys from all 17 language files
- Added 6 missing keys (SSH/GPG validation messages)
- Unified all files to exactly 93 keys
- Fixed duplicate key issues (e.g., "Select Identity" appeared twice)
- Keys now use "Identity" terminology; localized values use appropriate "Profile" equivalents
0.16.14 - 2026-02-04
- L10n terminology unified to "profile" for better user comprehension:
- Updated all 17 language bundle files (
bundle.l10n.*.json) - Changed "identity" → "profile" in user-facing UI text (status bar, QuickPick items, messages)
- Internal code and settings still use "identity" for backward compatibility
- Updated all 17 language bundle files (
0.16.13 - 2026-02-03
- Removed WebP test image from README: WebP format support verified successfully on VS Code Marketplace
0.16.12 - 2026-02-03
- Added WebP format test image to README: Verifies VS Code Marketplace rendering support before using WebP for actual documentation screenshots
0.16.11 - 2026-02-02
- New profile creation now returns to the management screen (profile list) instead of opening the edit screen for the newly created profile
0.16.10 - 2026-02-02
- Profile selector and delete picker now dismiss normally on focus loss:
- v0.16.9 applied
ignoreFocusOutto all QuickPick dialogs, which prevented simple pickers from being dismissed by clicking outside - Now only form-style dialogs (new profile, edit, manage) retain focus; simple pickers follow standard VS Code behavior
- v0.16.9 applied
0.16.9 - 2026-02-01
- All QuickPick dialogs now persist when the editor loses focus:
- Previously, switching to another application (e.g., to copy text) would dismiss the QuickPick and discard all entered data
- Set
ignoreFocusOut = trueon all 5 QuickPick instances: new profile form, edit form, profile selector, delete picker, and manage screen - Matches the existing InputBox behavior which already retained focus
0.16.8 - 2026-01-31
- SSH key file picker now stores paths in
~/format instead of absolute paths:- Selecting a key via the 📁 browse button now produces
~/.ssh/id_ed25519instead of/Users/name/.ssh/id_ed25519 - Improves privacy (no OS username in settings.json) and portability across machines
- Works on both Unix and Windows (backslashes normalized to forward slashes)
- Extracted shared
replaceHomeWithTilde()utility topathUtils.ts, removing duplicate frompathSanitizer.ts
- Selecting a key via the 📁 browse button now produces
- Updated Japanese README for identity management UI:
- Added "Profile Management UI" as first item in Features section
- Rewrote Quick Start Step 3 from settings.json-first to UI-first approach
- Added new "Profile Management" section (add/edit/delete/reorder/SSH key path)
- Added Delete Identity command to Commands table
- Removed "Note: Basic Setup (No SSH)" section
0.16.7 - 2026-01-30
- Remove forced default icon (👤) for identities without an icon configured:
- Status bar now shows only the identity name when no icon is set
- Previously, identities created without an icon always displayed 👤 in the status bar
- The default preset profile still shows 👤 as it has
"icon": "👤"explicitly configured
0.16.6 - 2026-01-30
- Reorder settings fields to group required fields first (id, name, email):
- Changed field order from
id, name, service, email, ...toid, name, email, service, ...across all 17 language files - Updated
config.identities.markdowndescriptions, individual field key order, andpackage.jsonschema/default order - Required fields (id, name, email) now appear as the first three items, matching the UI edit form order
- Changed field order from
0.16.5 - 2026-01-29
- Unified
config.identities.markdowndescriptions across all 17 languages:- Aligned markdown overview descriptions with individual field descriptions (the more specific variants)
- Fixed 5 fields per language:
id(added character restrictions),service(added Bitbucket),sshKeyPath(added example),sshHost(replaced explanation with examples),gpgKeyId(added example) - Ensures VS Code Settings UI overview matches InputBox placeholders exactly
0.16.4 - 2026-01-29
- Profile reorder (Move up / Move down) feature:
- Added
moveIdentityInConfig()function to reorder identity profiles - Added inline move up / move down buttons in Manage Profiles UI
- Added
handleManageMove()command handler with focus management - Boundary handling: first item cannot move up, last item cannot move down
- Security: ID format validation and audit logging for config changes
- i18n: Move up / Move down / Failed to reorder tooltips (17 languages)
- Allow ID editing when only one profile exists (
EditableFieldOrIdtype) - Fix Codicon display in Edit Identity title
- Added
- Added 9 E2E tests for
moveIdentityInConfig(): normal move, boundary, single-element, error, and persistence - Added 2 E2E tests for moveUp/moveDown button actions in
showManageIdentitiesQuickPick()
0.16.3 - 2026-01-28
- i18n: Unified InputBox placeholders with settings.json descriptions:
- Updated
FIELD_PLACEHOLDER_KEYSin identityManager.ts to match package.nls.json - Added Bitbucket to service field examples (17 languages)
- Added concrete sshHost examples:
github-work,gitlab-personal(17 languages) - Added 6 new translation keys to bundle.l10n files (17 languages):
Git user.name (required)Git user.email (required)Git hosting service (e.g., GitHub, GitLab, Bitbucket)Emoji to display in status bar (e.g., 🏠, 💼)Note for this identity (e.g., Work, Personal)SSH config host alias (e.g., github-work, gitlab-personal)
- Updated
0.16.2 - 2026-01-28
- Manage Profiles icon not visible without hover:
- Use Codicon in label
$(gear)instead of iconPath for consistent display
- Use Codicon in label
- Save button disabled state icon:
- Changed from
$(loading~spin)to$(session-in-progress)(static icon)
- Changed from
0.16.1 - 2026-01-28
- Critical Bug: Back button inserting "back" string:
- Fixed bug where pressing back button in InputBox set "back" as the field value
- Added
result !== 'back'check inhandleAddFormFieldEdit()
- SSH Key Path Browse Button UX:
- Fixed file picker not transferring selected path due to InputBox losing focus
- Added
ignoreFocusOut: trueto prevent InputBox from closing during file selection - Updated tooltip from "Browse..." to "Browse for SSH key path..." (17 languages)
- Japanese "New Profile" Label:
- Changed "新しいプロフィール" to "プロフィールを新規作成" for clarity
- Required Field Hint:
- Updated "(fill in required fields)" to "(fill in fields marked with *)" (17 languages)
- Save Button Disabled State Icon:
- Changed disabled icon from
$(circle-slash)to$(loading~spin)(less negative connotation)
- Changed disabled icon from
- InputBox Field Descriptions:
- Added concrete examples to id, sshKeyPath, gpgKeyId placeholders (17 languages)
- InputBox Prompt Wording:
- Changed "Press 'Enter' to confirm" to "Press 'Enter' to save" (17 languages)
- Added skip/clear hints for optional fields
- Dead Code Cleanup:
- Removed 7 obsolete translation keys from wizard-style UI (17 languages)
0.16.0 - 2026-01-27
- Identity Management UX Overhaul (Phase 5.5):
- Profile list with inline edit/delete buttons replaces abstract action menu
- All identity fields now editable: sshKeyPath, sshHost, gpgKeyId (in addition to existing fields)
- New profile creation shows all properties as a list with required/optional markers
- File picker button for sshKeyPath field with SSH directory default path
- Back button in title bar (standard VS Code pattern)
- Esc key now goes back one step instead of cancelling entire wizard
- Focus position preserved after edit/delete operations
- Empty state message when no profiles exist
- Input values preserved when navigating back in wizard
- SSH Key Path Validation Enhancement:
- Multi-layer validation: dangerous characters → path traversal → SSH directory restriction
- SSH key paths restricted to
~/.ssh/directory (user home directory protection) - Real-time validation feedback in InputBox
- Comprehensive Security Tests:
- Defense-in-depth validation tests for all input fields
- MAX_IDENTITIES limit enforcement tests
- Audit logging tests for add/edit/delete operations
0.15.1 - 2026-01-27
- Identity Management UX Improvements:
- Manage menu now shows profile list with inline edit/delete buttons
- Back button in title bar (standard VS Code pattern)
- Esc key now goes back one step instead of cancelling entire wizard
- Focus position preserved after edit/delete operations
- Empty state message when no profiles exist
0.15.0 - 2026-01-26
- Identity Management UI: New in-editor identity management functionality
Git ID Switcher: Select Identitynow includes "Manage identities..." option- Add new identities via wizard with ID, Name, and Email input
- Edit existing identities (name, email fields)
- Delete identities with confirmation dialog
Git ID Switcher: Delete Identitycommand for direct deletion- All UI strings localized in 17 languages
- Identity Picker Enhancement: Added management option with separator in quick pick
- Select identity or manage identities from single unified UI
- Management menu provides Add/Edit/Delete options
0.14.4 - 2026-01-25
- ARCHITECTURE.md Improvements: Enhanced documentation maintainability
- Added "Function Naming Conventions" section with naming rules table
- Added "ESLint Exclusion Patterns" section documenting intentional lint bypasses
- Removed concrete values (line counts, file counts, validator counts) to prevent documentation drift
- Replaced specific numbers with generic terms (e.g., "Multi-Layer" instead of "2 Layers")
- PR Template: Created
.github/PULL_REQUEST_TEMPLATE.md- General checklist (tests, linter, coverage)
- Naming conventions checklist for function additions/renames
- Security checklist for validation/security code changes
0.14.3 - 2026-01-25
- ReDoS Vulnerability Fix: Replaced regex-based email validation with split-based approach
EMAIL_REGEXmarked as deprecated (kept for backward compatibility)- New
isValidEmail()function uses string operations instead of regex - Added length limit (254 chars per RFC 5321)
- SonarQube: typescript:S5852
- ARCHITECTURE.md Updated: Synchronized documentation with new directory structure
- Updated 30+ file path references to reflect Phase 1-5 refactoring
- Replaced logical grouping diagram with actual directory structure
- Expanded security layer documentation with all 13 files
0.14.2 - 2026-01-23
- VSIX Packaging Fix: Added
../**to.vscodeignoreto exclude parent directory files- Fixes "invalid relative path" error during
vsce publish - Prevents monorepo root files (e.g.,
sonar-project.properties) from being included in VSIX
- Fixes "invalid relative path" error during
0.14.1 - 2026-01-23
- Dependency Vulnerability Fix: Added npm override to force
diff@^8.0.3- Fixes GHSA-73rr-hh4g-fpgx (CVE-2026-24001): DoS vulnerability in
parsePatchandapplyPatchmethods mocha@11.7.5depends on vulnerablediff@7.0.0
- Fixes GHSA-73rr-hh4g-fpgx (CVE-2026-24001): DoS vulnerability in
0.14.0 - 2026-01-22
- Command Palette Display Names: Unified command category prefix for consistency
- Changed from
Git ID:toGit ID Switcher:for all commands Git ID: Select Identity→Git ID Switcher: Select IdentityGit ID: Show Current Identity→Git ID Switcher: Show Current Identity- Prevents potential conflicts with other Git ID extensions in the ecosystem
- Changed from
- Documentation Command in README: Added
Git ID Switcher: Show Documentationto command lists- Updated all 26 language README variants with the previously missing command
- Each language includes appropriately translated descriptions
- Command Search: Users who search for commands using
Git ID:prefix will need to update their search toGit ID Switcher: - Keyboard Shortcuts: Not affected (command IDs remain unchanged)
- Settings: Not affected (configuration keys remain unchanged)
0.13.8 - 2026-01-19
- Hash Verification Workflow: Redesigned for branch protection compliance
- Added
hash-check.ymlworkflow for pre-merge hash validation on PRs - Simplified
deploy-docs.ymlto CDN-only deployment (removed auto-commit) - Hash keys now align with CDN paths for consistency
- Added monorepo root file support (README.md, CONTRIBUTING.md, LICENSE)
- Total files tracked: 38 (32 extension + 6 monorepo root)
- Added
- Hash Key Format: Fixed hash verification failing due to key format mismatch
- Added
getHashKey()function for consistent hash key generation - Updated
verifyContentHash()to support both extension and monorepo root files
- Added
0.13.7 - 2026-01-19
- Documentation Hash Mismatch: Fixed Webview documentation display failing due to outdated hashes
- Regenerated SHA-256 hashes for all 32 documentation files
- Added automatic hash update script (
scripts/update-doc-hashes.mjs) for CI/CD - Deploy workflow now auto-updates hashes before CDN deployment
0.13.6 - 2026-01-18
- Maximum Privacy Mode: New
gitIdSwitcher.logging.redactAllSensitivesetting- When enabled, all string values are masked in security logs
- Provides maximum privacy for users who want complete log sanitization
- Default:
false(existing behavior preserved) - Localized descriptions available in 17 languages
- Documentation updated in 26 language README variants
0.13.5 - 2026-01-18
- Remove HTML Sanitization: Removed
sanitizeHtml()function from documentation rendering- CDN content is now trusted based on CSP + SHA-256 hash verification
- Simplifies codebase while maintaining security through existing defense layers
- Resolves CodeQL "Incomplete multi-character sanitization" warnings
- Fix undici vulnerability: Updated
undicidependency to fix GHSA-g9mf-h72j-4rw9- HTTP request smuggling vulnerability in
@vscode/test-electrontransitive dependency
- HTTP request smuggling vulnerability in
0.13.4 - 2026-01-18
- CDN Content Hash Verification: Added SHA-256 hash verification for all documentation files
- 32 documents now have cryptographic integrity checks (SHA-256)
- Uses allowlist approach: unknown paths are rejected
- Hash mismatches are logged and content is rejected
- Protects against CDN cache poisoning and MITM attacks on documentation
0.13.3 - 2026-01-18
- Platform Badge Redesign: Unified three separate platform badges into a single badge
- Replaced individual Windows/macOS/Linux badges with unified
[🖥️ | Win | Mac | Linux]badge - Microsoft removed all Windows icons from Simple Icons due to trademark requirements
- Uses custom desktop monitor SVG icon with gray/blue two-tone design
- Applied to all 28 README files (monorepo root, extension root, 26 i18n variants)
- Replaced individual Windows/macOS/Linux badges with unified
0.13.2 - 2026-01-18
- Multi-Platform CI Support: CI now runs on Windows, macOS, and Linux
- Build job: 3-platform matrix strategy (ubuntu, windows, macos)
- E2E job: Platform-specific execution (xvfb for Linux, native for Windows/macOS)
- Added Git line ending configuration for Windows (
core.autocrlf false)
- Cross-Platform Path Tests: Added
pathSeparator.test.tswith platform-aware tests- Tests for
path.join,path.normalize,path.sep - Platform-dependent assertions for backslash handling
- Tests for
- Platform Badges: Added Windows/macOS/Linux badges to all 26 language READMEs
0.13.1 - 2026-01-18
- Submodule Detection Bug: Fixed
listSubmodules()failing to detect the first submodule- Root cause:
gitExec()appliedstdout.trim()which removed the leading status character - Added
gitExecRaw()function that preserves raw stdout without trimming git submodule statusoutput format requires leading character (,-,+) for status
- Root cause:
- Comprehensive Submodule Tests: Added tests for submodule detection scenarios
- Single submodule detection test
- Multiple submodules detection test (3 submodules)
- Nested submodules recursive test (3-level hierarchy)
gitExecRaw()error handling test
- Improved Test Coverage:
submodule.tscoverage increased from 79.78% to 93.53%
0.13.0 - 2026-01-17
- Security Hardening: Comprehensive security improvements
- Log Path Validation (Breaking Change)
- Added
isSecureLogPath()function with symlink detection vialstat - Log files now restricted to
globalStorageUridirectory only filePathworkspace setting is now ignored for security
- Added
- Binary Path Resolution
- Added
binaryResolver.tsfor secure PATH resolution - Commands now execute using absolute paths instead of relying on PATH
- Prevents PATH pollution attacks with fake git/ssh binaries
- Added
- Audit Logging
- Added
securityLogger.logCommandBlocked()for allowlist violations - Improved error handling in
gitExec(no longer silently fails)
- Added
- Dependency Cleanup
- Removed unused
lodashandminimistfrom devDependencies - Reduces attack surface and supply chain risk
- Removed unused
- Log Path Validation (Breaking Change)
gitIdSwitcher.logging.filePathworkspace setting is now ignored- Log files are always written to VS Code's
globalStorageUrifor security - This prevents malicious repositories from writing to arbitrary paths via
.vscode/settings.json
- Log files are always written to VS Code's
0.12.3 - 2026-01-14
- SonarCloud CI Integration: Switched from automatic analysis to CI-based analysis
- Added GitHub Actions workflow for SonarCloud scanning
- Enables
sonar-project.propertiesconfiguration (ignored by automatic analysis) - Includes test coverage reporting to SonarCloud
- Test files properly excluded from duplication detection via
sonar.cpd.exclusions
0.12.2 - 2026-01-14
- SonarCloud Quality Gate: Fixed duplication detection configuration
- Added
.sonarcloud.propertiesfor automatic analysis (GitHub App) sonar-project.propertiesis ignored by automatic analysis- Excluded test directory from duplication detection
- Test code intentionally has duplication for readability and isolation
- Added
0.12.1 - 2026-01-14
- Code Quality Improvements: Use
node:prefix for Node.js built-in moduleschild_process→node:child_processin secureExec.tsutil→node:utilin secureExec.tsassert→node:assertin all test files
0.12.0 - 2026-01-14
- Workspace Trust: Removed custom Workspace Trust implementation (introduced in v0.11.0)
- VS Code's default behavior (complete extension disable in untrusted workspaces) is more secure than partial functionality restrictions
- Removed
gitIdSwitcher.disableWorkspaceTrustsetting - Removed confirmation dialogs for untrusted workspaces
- Removed trust-related localized messages from all 17 languages
- Removed Workspace Trust section from all 26 README documentation files
- Improved Security Posture: Relying on VS Code's native Workspace Trust (complete disable) instead of custom partial restrictions provides stronger security guarantees
0.11.3 - 2026-01-14
- SonarCloud Quality Gate Badge
- Added SonarCloud Quality Gate Status badge to all 28 README files (monorepo root + 27 language variants)
- Badge positioned between codecov and Harden-Runner badges
0.11.2 - 2026-01-14
- i18n: Complete Translation Coverage
- Added missing
command.showDocumentationtranslations to 15 languages (zh-CN, zh-TW, ko, de, fr, es, it, pt-BR, ru, pl, hu, cs, bg, uk, tr) - All package.nls translation keys now have 100% coverage across 17 languages
- Test coverage added to verify i18n key consistency
- Added missing
0.11.1 - 2026-01-12
- Empty String Validation
- Empty strings in optional fields (
service,sshKeyPath,sshHost,gpgKeyId) are now treated as "not set" instead of triggering validation errors - This eliminates unnecessary warnings when using default settings
- Required fields (
id,name,email) still correctly reject empty strings
- Empty strings in optional fields (
- configSchema Tests
- Added comprehensive test suite for
configSchema.ts(68 test cases) - Covers empty string handling, malicious value rejection, format validation, and edge cases
- Test coverage improved to 92.99%
- Added comprehensive test suite for
- SSH Interaction Sections (en, ja)
- Added "SSH Key Management Details" section explaining ssh-agent commands
- Added "Interaction with Existing SSH Config" section for compatibility guide
- Added "Why
IdentitiesOnly yes?" section with recommended configuration
0.11.0 - 2026-01-11
- Workspace Trust: Added support for VS Code Workspace Trust
- Dangerous operations (Git config changes, SSH key operations) are blocked in untrusted workspaces
- Identity switching requires explicit user confirmation in untrusted workspaces
- New setting
gitIdSwitcher.disableWorkspaceTrustfor emergency bypass (not recommended)
- Confirmation dialog for identity switching in untrusted workspaces
- Localized trust-related messages in 17 languages
- Added Workspace Trust section to README (en, ja)
0.10.48 - 2026-01-10
- Marketplace DESIGN_PHILOSOPHY.md Links
- Fixed 404 errors for Karesansui Architecture badge links in VS Code Marketplace
- Changed from relative paths (
docs/DESIGN_PHILOSOPHY.md) to absolute GitHub URLs generate-root-readme.jsnow generates absolute URLs consistent with other link transformations
0.10.47 - 2026-01-10
- Badge Design Restoration
- Restored
🌐 Languages | 17+9 moretwo-tone badge (was incorrectly changed to🌐 26 Languages) - The
17+9format intentionally shows: 17 VSCode UI languages + 9 additional (minority/joke/special)
- Restored
0.10.46 - 2026-01-10
- Full 26 Language Links
- Replaced
17+9 morebadge with26 Languagesbadge - Now displaying all 26 language links with their emojis instead of just 17 VSCode UI languages
- Each language README shows its own emoji in bold, with other 25 languages as clickable links
- Minority (🌺🐻🐉), Special (🌍), and Joke (✨🖖🐱🏴☠️🎭) languages now visible alongside UI language flags
- Replaced
0.10.45 - 2026-01-10
- Languages Badge Redesign
- Replaced language-specific text labels with unified shields.io badge
[🌐 Languages | 17+9 more] - Updated all 26 i18n README files with consistent badge format
- Fixed language count from
17+8to17+9(actual total: 26 languages) - Added Karesansui Architecture badge to monorepo root README
- Replaced language-specific text labels with unified shields.io badge
0.10.44 - 2026-01-10
- Root README Badge Link
- Fixed broken DESIGN_PHILOSOPHY.md link in header badge section
generate-root-readme.jsnow transforms both markdown(...)and HTMLhref="..."links
0.10.43 - 2026-01-10
-
Karesansui Architecture Documentation
- Added
docs/DESIGN_PHILOSOPHY.mdwith full design philosophy poem - Documents the "Karesansui (Zen Garden) Architecture" approach
- Explains core concepts: Stone (core), Sand Patterns (quality), Accents (differentiation), and Stones We Don't Place (intentional constraints)
- Added
-
Design Philosophy Section in READMEs
- Added Design Philosophy section to all 26 language README files
- Each section includes localized summary and link to full philosophy
-
Karesansui Architecture Badge
- Added clickable badge (🪨 Karesansui | Architecture) to header section of all READMEs
- Badge links to DESIGN_PHILOSOPHY.md
- Multiple badge style samples available in DESIGN_PHILOSOPHY.md
0.10.42 - 2026-01-09
- Harden-Runner Badge
- Added Harden-Runner badge to all 28 README files (monorepo root + 27 language variants)
0.10.41 - 2026-01-09
- CI/CD: Environment Protection for Marketplace Publishing
- Added
productionenvironment to publish.yml and unpublish.yml - Marketplace secrets (VSCE_PAT, OVSX_PAT) now protected by GitHub Environment
- Requires tag push matching
git-id-switcher-v*pattern - Implements least privilege principle for CI/CD secrets
- Added
- Secrets Management Documentation
- Added comprehensive Secrets Management section to SECURITY.md
- Documents all 15 secrets used in CI/CD workflows
- Includes rotation procedures and provider links
- Added sensitivity levels for each secret
0.10.40 - 2026-01-09
- CI/CD: E2E Test Integration
- Added E2E test job to CI workflow running in parallel with build job
- Uses
xvfb-runfor headless VS Code extension testing on Linux CI - Set
continue-on-error: trueas E2E tests can be flaky due to environment
0.10.39 - 2026-01-08
- Codecov Integration
- Added code coverage reporting to CI workflow using c8
- Coverage data automatically uploaded to Codecov on every CI run
- Added Codecov badge to all 28 README files (monorepo root + 27 language variants)
0.10.38 - 2026-01-08
- Security Badges
- Added SLSA level 3 badge (supply chain security attestation)
- Added Security badge (CodeQL analysis workflow status)
- Added CI badge (build and test workflow status)
- Updated all 28 README files (monorepo root + 27 language variants)
0.10.37 - 2026-01-08
- CI/CD: Attach SLSA Provenance to releases
- Provenance bundle (
.intoto.jsonl) now included in release assets - Enables OpenSSF Scorecard Signed-Releases detection
- Provenance also stored in GitHub Attestation API for
gh attestation verify
- Provenance bundle (
0.10.36 - 2026-01-08
- OpenSSF Best Practices Badge
- Added OpenSSF Best Practices passing badge to all READMEs (28 files)
- Project registered at bestpractices.dev (project #11709)
- CI/CD: Pin GitHub Actions to SHA hashes
- All actions in bot workflows now pinned to SHA for improved Scorecard Pinned-Dependencies score
- Added explicit permissions to bot workflows for OpenSSF Scorecard compliance
- Mend Bolt Integration
- Configured Mend Bolt for automated security scanning
- Updated
minimistto v1.2.6 (security fix)
0.10.35 - 2026-01-07
-
OpenSSF Scorecard Integration
- Added OpenSSF Scorecard GitHub Action for automated security scoring
- Added OpenSSF Scorecard badge to READMEs
- Configured branch protection score improvements
-
SLSA Provenance Attestation
- Added SLSA Provenance attestation for releases
- Enhances supply chain security with verifiable build provenance
-
Root README Auto-Generation
- Added script to auto-generate root README.md from
docs/i18n/en/README.md - Transforms relative URLs to absolute URLs for external platforms
- GitHub Actions workflow for automatic regeneration on push/PR
- Added script to auto-generate root README.md from
-
CI/CD: Pin Wrangler Version
- Pinned wrangler version for improved Pinned-Dependencies score
-
Dependency Updates
- Updated
actions/checkoutfrom 4.2.2 to 6.0.1 - Updated
actions/setup-nodefrom 4.3.0 to 6.1.0 - Updated
actions/upload-artifactfrom 4.6.0 to 6.0.0 - Updated
softprops/action-gh-releasefrom 2.2.1 to 2.5.0 - Updated
github/codeql-actionto latest - Added GitHub Actions dependency grouping for Renovate
- Updated
- CI/CD: R2 Paths
- Updated R2 paths in publish.yml to monorepo structure
0.10.34 - 2026-01-06
- Documentation Webview: Unified English Path
- English README now served from
docs/i18n/en/README.md(same structure as other languages) - Enables consistent in-Webview navigation between all languages
- English fallback path also updated to i18n directory
- English README now served from
-
English i18n README (
docs/i18n/en/README.md)- Contains relative language links for Webview navigation
- Uses
-ensuffix for English-specific images (demo-en.png,quickpick-en.png)
-
Language Link Updates
- All 25 language READMEs updated to link to
../en/README.md - LANGUAGES.md updated to link to
i18n/en/README.md
- All 25 language READMEs updated to link to
0.10.33 - 2026-01-06
- ESLint Error: Wrapped lexical declaration in case block with braces (
no-case-declarations)
0.10.32 - 2026-01-06
- Documentation Webview: In-Webview Navigation
- Relative markdown links (e.g.,
../../CONTRIBUTING.md) now open within Webview instead of external browser - Panel title dynamically updates to show current document name (e.g., "README" → "CONTRIBUTING")
- Back button with navigation history stack for returning to previous documents
- Error handling: shows error page if previously visited document becomes unavailable
- Relative markdown links (e.g.,
- Panel Title: Now displays document name instead of localized "Documentation" title
- Consistent title from initial load through navigation
- Removed unused
PANEL_TITLESconstant andgetPanelTitle()function
- All navigation security measures maintained:
- CSP nonce-based script execution
- Command whitelist (
navigate,backonly) - URL classification and validation
0.10.31 - 2026-01-05
- Documentation Webview URL: Updated R2 fetch URLs to new monorepo-based structure
- Base URL:
assets.nullvariant.com/git-id-switcher→assets.nullvariant.com/nullvariant-vscode-extensions/extensions/git-id-switcher - English README:
docs/i18n/en/README.md→README.md(extension root) - Other languages: unchanged relative path (
docs/i18n/{locale}/README.md)
- Base URL:
0.10.30 - 2026-01-05
- README Image URLs: Migrated to new R2 directory structure
- Old:
assets.nullvariant.com/git-id-switcher/images/ - New:
assets.nullvariant.com/nullvariant-vscode-extensions/extensions/git-id-switcher/images/ - Monorepo-based path structure for better organization and analytics
- Affects all 28 README files (English root + 26 language translations + monorepo root)
- Old:
0.10.29 - 2026-01-04
- Documentation Webview: relative URL conversion:
- Convert relative paths (e.g.,
../zh-CN/README.md) to absolute GitHub URLs for Webview display - Preserves relative paths in source READMEs for GitHub/local viewing
- Convert relative paths (e.g.,
0.10.28 - 2026-01-04
- Documentation Webview: double-backtick inline code support:
- Added support for
`` ` ``syntax (backtick inside inline code) - Process double-backtick patterns before single-backtick patterns
- Added support for
0.10.27 - 2026-01-04
- Documentation Webview rendering stability:
- Fixed table headers: all header cells now display correctly (removed incorrect
slice(1, -1)) - Fixed placeholder format: changed from
<<>>to%%to avoid HTML tag confusion - Added
imgto block element cleanup list
- Fixed table headers: all header cells now display correctly (removed incorrect
0.10.26 - 2026-01-04
- Documentation Webview: complete HTML element support:
- Fixed tables: empty cells no longer cause column misalignment
- Added h4, h5, h6 heading support
- Added image support (
)
0.10.25 - 2026-01-04
- Documentation Webview Markdown rendering overhaul:
- Fixed blockquotes: consecutive
>lines now merge into single blockquote - Fixed code blocks: removed unwanted line breaks inside
<pre>blocks - Fixed tables: moved table parsing before other transformations
- Replaced
<br>approach with proper<p>paragraph handling - Cleaner HTML output with proper block element handling
- Fixed blockquotes: consecutive
0.10.24 - 2026-01-04
- Documentation Webview Markdown rendering improvements:
- Added Markdown table support (header/body rows converted to HTML
<table>) - Added horizontal rule support (
---,***→<hr>) - Added ordered list support (
1.,2., etc. →<li>) - Added blockquote support (
>→<blockquote>) - Added CSS styling for tables, blockquotes, and horizontal rules
- Fixed single newlines now convert to
<br>for better readability
- Added Markdown table support (header/body rows converted to HTML
0.10.23 - 2026-01-04
- Documentation Webview badges not displaying: Added
img.shields.ioto CSPimg-srcdirective - Code blocks with hyphenated language names broken: Fixed regex to match
ssh-config,c++, etc.- Changed from
\w*to[^\n\r]*to capture any language identifier - Also handle Windows line endings (
\r\n)
- Changed from
0.10.22 - 2026-01-04
- Documentation Webview HTML Rendering: Fixed HTML tags displaying as raw text
- README contains mixed Markdown and HTML (tables, images, badges)
- Changed from full HTML escaping to sanitization approach
- Now preserves safe HTML tags while removing dangerous elements (
<script>, event handlers,javascript:URLs) - Defense-in-depth:
enableScripts: falsealready prevents JS execution
0.10.21 - 2026-01-04
- Show Documentation Command: New command to display README in VS Code Webview
- Command:
Git ID Switcher: Show Documentation(Command Palette) - Automatically detects user's VS Code locale and fetches matching language README
- Supports all 26 languages with fallback to English
- Secure implementation: XSS prevention via HTML escaping, CSP headers,
enableScripts: false - DoS protection: 1MB content size limit
- Footer links to GitHub repository and external browser view
- Command:
- GitHub Actions: Added automatic documentation deployment to Cloudflare R2
publish.yml: Deploy docs on releasedeploy-docs.yml: Deploy docs on README/docs changes (new workflow)
0.10.20 - 2026-01-04 [YANKED]
Note: This version was partially published with build errors. Use v0.10.21 instead.
0.10.19 - 2026-01-04
- README Screenshots: Added Quick Pick screenshots to all 26 README files
- Each language now displays localized Quick Pick UI screenshot in "Step 4: Use It" section
- Images hosted on CDN:
assets.nullvariant.com/nullvariant-vscode-extensions/extensions/git-id-switcher/images/quickpick-{lang}.png - Retina-ready: 1200px source displayed at 600px width for 2x resolution
0.10.18 - 2026-01-03
- i18n Validation Bug: Fixed
serviceanddescriptionfields rejecting Unicode characters (e.g., Japanese, Chinese)- Changed validation pattern from ASCII-only to Unicode-safe while still blocking dangerous shell metacharacters
- Added missing
servicefield validation in secondary validation layer - This bug prevented identities with non-ASCII service names (e.g., "GitHub 会社用") from being loaded
- Validation Consistency: Added missing
servicefield length check (64 characters) in validation.ts for defense-in-depth
0.10.17 - 2026-01-03
- README Demo Format: Changed demo image from WebP to static PNG for better clarity and compatibility
0.10.16 - 2026-01-03
- README Demo Format: Changed demo image from GIF to WebP for ~50% smaller file size
0.10.15 - 2026-01-03
- README Demo Image: Replaced static demo.png with animated demo.gif for better feature showcase
0.10.14 - 2026-01-01
- README Structure Improvements (JA, EN): Improved first-view appeal on marketplace/Open VSX
- Moved "Why Git ID Switcher?" section before "Features" for immediate differentiation
- Reordered Features list: Submodule Support → SSH Key Management → GPG Signing → general features
- Header renamed from "🚀 Why this extension?" to "🎯 Why Git ID Switcher?"
- README Documentation (JA, EN): Added 6 missing configuration items to Global Settings table
logging.fileEnabled: Enable audit logging to filelogging.filePath: Log file path with examplelogging.maxFileSize: Max file size before rotation (bytes, 1MB-100MB)logging.maxFiles: Max rotated log files to keep (1-20)logging.level: Log verbosity with threshold-based recordingcommandTimeouts: Custom timeout per command with example
- Identity Properties Table (EN): Added icon example
"🏠"for parity with Japanese version
0.10.13 - 2026-01-01
- Multilingual Description Improvements: Improved setting descriptions for 11 languages
- Languages updated: French (fr), Spanish (es), Italian (it), Portuguese-BR (pt-BR), Russian (ru), Polish (pl), Czech (cs), Hungarian (hu), Bulgarian (bg), Ukrainian (uk), Turkish (tr)
config.logging.fileEnabled: Clarified what is recorded (identity switches, SSH key operations, etc.)config.logging.level: Clarified threshold-based logging (records selected level and above)- All translations now match the improved English/Japanese descriptions from v0.10.10
0.10.12 - 2026-01-01
- Revert Title Properties: Removed non-functional
titleproperties from all 13 settings- VSCode does NOT support
titleat individual configuration property level - VSCode always auto-generates titles from property names (camelCase → Title Case)
- This was discovered after v0.10.10/v0.10.11 were released
- Title properties in package.json and nls files were silently ignored by VSCode
- Valid changes from v0.10.10 remain: terminology unification (SSH鍵/GPG鍵), description improvements
- VSCode does NOT support
0.10.11 - 2026-01-01
- Build Fix: Added missing English title keys to package.nls.json
- v0.10.10 failed to build because title keys were only added to Japanese file
0.10.10 - 2026-01-01
- Japanese Setting Titles Localization: Added explicit
titleproperties to all 13 settings- VSCode auto-generates titles from property names (e.g.,
autoSwitchSshKey→ "Auto Switch Ssh Key") - Now uses proper Japanese titles (e.g., "SSH鍵の自動切り替え")
- Affected settings: identities, defaultIdentity, autoSwitchSshKey, applyToSubmodules, submoduleDepth, showNotifications, includeIconInGitConfig, logging.* (5 settings), commandTimeouts
- VSCode auto-generates titles from property names (e.g.,
- Japanese Description Improvements: Improved 3 setting descriptions
autoSwitchSshKey: "ID変更時にSSH鍵も自動的に切り替える"logging.fileEnabled: "監査ログをファイルに保存する(ID切り替え、SSH鍵操作などを記録)"logging.level: "ログの詳細度を設定(DEBUG=全て記録、ERROR=エラーのみ。選択したレベル以上を記録)"
- Terminology Unification: Unified "SSHキー" to "SSH鍵" across all Japanese/Ryukyuan files
- Updated: package.nls.ja.json, bundle.l10n.ja.json, docs/i18n/ja/README.md, docs/i18n/ryu/README.md
0.10.9 - 2025-01-01
- Multilingual Localization Improvements: Revised translations for 12 languages to match Japanese/English improvements
- Languages updated: German (de), French (fr), Spanish (es), Italian (it), Portuguese-BR (pt-BR), Russian (ru), Polish (pl), Czech (cs), Hungarian (hu), Bulgarian (bg), Ukrainian (uk), Turkish (tr)
- Added "(profile)" concept to extension description and status bar messages
- Added "(required)" markers to required fields (id, name, email)
- Added examples: icon (🏠, 💼), description (Work, Personal equivalents)
- Added submodule depth range "(1-5)" to settings
- Removed redundant "(optional)" from optional fields
- Renamed notifications category to include "& Display"
0.10.8 - 2025-01-01
- English Localization Improvements: Revised English translations to match Japanese version improvements
extension.description: Simplified, uses "Git profiles" instead of "GitHub accounts" (platform-agnostic)config.category.display: Renamed from "Notifications" to "Notifications & Display"- Identity settings: Added "(required)" markers to required fields (id, name, email)
- Added examples: icon (🏠, 💼), description (Work, Personal)
- Removed redundant "(optional)" from optional fields
- Unified terminology: "profile" used in status bar for better UX
- Simplified notification messages: unified "Switching..." text
0.10.7 - 2025-01-01
- Japanese Localization: Add icon examples to markdown description in settings
config.identities.markdown: Added "(例: 🏠, 💼)" to icon field description
0.10.6 - 2025-01-01
- Japanese Localization Improvements: Revised Japanese translations for clarity and consistency
extension.description: Simplified and made more conciseconfig.category.display: Renamed from "通知" to "通知と表示" to better reflect contents- Identity settings: Added "(必須)" markers to required fields (id, name, email)
- Improved descriptions with examples (icon: 🏠, 💼; description: 会社用, 個人用)
- Removed redundant "(オプション)" from optional fields
- Unified terminology: "プロフィール" added to status bar for better UX
- Simplified notification messages: "〜しています" → "〜中"
0.10.5 - 2025-12-31
- i18n File Key Ordering: Reorganized translation file key order to match settings UI
package.nls.*.json(17 languages): Keys now follow settings panel appearance orderl10n/bundle.l10n.*.json(17 languages): Keys now follow UI context grouping- Improves maintainability and makes diff reviews easier
- No functional changes to translations
0.10.4 - 2025-12-31
- Notification Localization: Add missing
l10nfield to package.json- Notification messages (e.g., "Switched to {identity}") were always displayed in English
- Now properly loads translation bundles from
l10n/directory - All 17 supported languages now work for runtime messages
0.10.3 - 2025-12-31
- Settings Categorization: Reorganized settings into 5 logical categories for better UX
- Identity: Core settings (identities, defaultIdentity, autoSwitchSshKey)
- Submodule: Submodule-related settings (applyToSubmodules, submoduleDepth)
- Notifications: Display/notification settings (showNotifications, includeIconInGitConfig)
- Debugging: Log settings (logging.*)
- Other: Advanced settings (commandTimeouts)
- Settings now use
orderproperty for consistent display order - Category names localized for all 17 supported languages
0.10.2 - 2025-12-31
- Command Allowlist Hardening: Fix critical vulnerabilities in argument validation
- [CRITICAL] Subcommand Bypass Fix: Subcommand arguments are now validated instead of immediately returning
allowed: true - [HIGH] Path Argument Bypass Fix: Path-like arguments no longer unconditionally bypass allowlist
- [HIGH] Submodule Command Restriction: Block dangerous commands like
git submodule update/init/add/foreach
- [CRITICAL] Subcommand Bypass Fix: Subcommand arguments are now validated instead of immediately returning
allowPathPositionalsOption: New restrictive option for path-only positional arguments- More secure than
allowAnyPositionalfor commands likegit submodule status <path> - Prevents non-path strings (e.g., 'update', 'init') from bypassing allowlist
- More secure than
allowedOptionsWithValuesOption: Explicit control over which options accept arbitrary values- Used for
git config user.name,git config user.email, etc. - Values following these options are allowed but flag injection is blocked
- Used for
- Command Allowlist Tests: New test suite for comprehensive allowlist validation
- Strict Flag Validation: Flags must be explicitly in
allowedArgsor valid combined flags - Enhanced Path Detection: Arguments containing
/are now checked byisSecurePath() - Improved Error Messages: More descriptive rejection reasons including path validation details
0.10.1 - 2025-12-31
- TypeScript Build Error: Fix unused variable
keyinformatLogLine()replacer function- Renamed to
_keyto indicate intentionally unused parameter - Fixes TS6133 error in CI build
- Renamed to
0.10.0 - 2025-12-31
- Structured Logging System: New logging infrastructure for audit trails
LogLevelenum: DEBUG, INFO, WARN, ERROR, SECURITYStructuredLoginterface for consistent log formatILogWriterinterface for dependency injectionFileLogWriterclass for file-based log persistence with rotation
- File Logging Settings: New configuration options
gitIdSwitcher.logging.fileEnabled: Enable file logging (default: false)gitIdSwitcher.logging.filePath: Log file path (e.g.,~/.git-id-switcher/security.log)gitIdSwitcher.logging.maxFileSize: Max file size before rotation (default: 10MB)gitIdSwitcher.logging.maxFiles: Max rotated files to keep (default: 5)gitIdSwitcher.logging.level: Minimum log level (DEBUG, INFO, WARN, ERROR, SECURITY)
- Log Rotation: Automatic log file rotation when size limit reached
- Configurable max file size and retention count
- Timestamp-based rotated file naming
- Retry limit (3) to prevent infinite rotation loops
- Path Validation: File log paths validated with
isSecurePath()for security - Circular Reference Handling:
WeakSet-based detection in JSON serialization - SECURITY Level Always Logged: Security events bypass minimum level filter
- SecurityLogger Refactored: Split into focused methods (SRP)
writeToFile(): Structured log file outputwriteToOutputChannel(): VS Code Output ChannelshowErrorNotification(): Error notifications
- Type-Safe Log Level Parsing: Added
parseLogLevel()function
0.9.10 - 2025-12-30
- Name Validation Regression: Allow semicolon (;) in identity names
- Fixes "Null;Variant" and similar names being incorrectly rejected
- Schema validation was stricter than intended (contradicted validation.ts comment)
0.9.9 - 2025-12-30
- ESLint Rule Compatibility: Add
@typescript-eslint/no-var-requiresto eslint-disable comments- Fixes lint errors in CI/CD pipeline
- Corrects incomplete eslint-disable annotations for dynamic require()
0.9.8 - 2025-12-30
This release includes comprehensive security hardening across multiple areas.
- Path Traversal Prevention: Added
isSecurePath()with comprehensive attack detection- Unicode normalization timing attacks
- Control/invisible character obfuscation
- Windows UNC paths, device paths, reserved names
- Trailing dot attacks, whitespace obfuscation
- Secure Path Normalization: Added
pathUtils.tswith symlink resolution- ELOOP detection for symlink loops
- PATH_MAX enforcement (4096 bytes)
- Home directory escape prevention
- SSH Key File Validation: Added multi-layer validation before
ssh-add- File existence, type, and size limits (10B - 1MB)
- Unix permission check (reject group/others access)
- SSH key format validation (OpenSSH, PEM, PKCS#8, PuTTY)
- Identity Validation on Load:
getIdentitiesWithValidation()validates at startup- Invalid identities filtered and logged
- Duplicate ID detection
- DoS protection with array/field count limits
- Submodule Path Validation: Strengthened path security
- Symlink escape detection after resolution
- Control character rejection
- Depth clamping with MAX_SUBMODULE_DEPTH=5
- Combined Flag Validation: Enhanced command allowlist security
- Unicode normalization (NFC) for combining characters
- Invisible Unicode character detection
- Flag-value concatenation detection (e.g.,
-f/path)
- SecurityError Class: Prevent information leakage through errors
- Separate user-visible messages from internal details
- Stack trace sanitization (macOS, Linux, Windows, WSL paths)
- Safe error message internationalization with
vscode.l10n.t()
- Log Sanitization: Comprehensive sensitive data protection
- Platform-specific sensitive directory patterns
- Secret-like string detection (API keys, tokens, base64)
- Windows UNC path server name masking
- Control character detection and masking
- Config Change Audit Logging: Track configuration changes
- CONFIG_KEYS tracking with before/after values
- Identity array change summarization
- DoS protection (max 1000 identities, max 100 changes)
- Command-Specific Timeouts: Prevent resource exhaustion
- git: 10s, ssh-add: 5s, ssh-keygen: 5s, default: 30s
- User-configurable via
gitIdSwitcher.commandTimeoutssetting - TimeoutError class with ETIMEDOUT code
- Enhanced Timeout Validation: Additional security checks
- Command name validation (DoS protection, character restrictions)
- NaN/Infinity checks for timeout values
- Integer validation to prevent precision attacks
- New Setting:
gitIdSwitcher.commandTimeoutsfor custom command timeouts- Supports per-command timeout configuration
- Validation: 1s minimum, 5m maximum
- Architecture Improvements (SOLID principles):
- SRP: Extracted
ConfigChangeDetectorclass fromSecurityLogger - DIP: Added
ISecurityLoggerinterface for dependency injection - OCP: Timeout configuration externalized to VS Code settings
- SRP: Extracted
- VS Code Module Lazy Loading: Use dynamic
require()for vscode module- Allows security tests to run outside VS Code extension host
- Fixes
Cannot find module 'vscode'error in CI/CD environments
0.9.7 - 2025-12-27
- Images moved to CDN: README images now served from
assets.nullvariant.com- Reduces VSIX package size
- Enables README view analytics
- Demo images removed from repository (now hosted on CDN)
0.9.6 - 2025-12-22
- i18n README Links: Fixed broken links in all 25 translated READMEs
- LICENSE link path corrected (was pointing to wrong directory)
- UNESCO Atlas link updated to working PDF version
- Ainu Foundation URL updated to new domain (ff-ainu.or.jp)
- Ainu Culture Research Center URL updated
- Okinawa shimakutuba links updated to current URLs
- Ryukyu University link updated to Faculty of Humanities
- Removed Duolingo Hawaiian link (redirects incorrectly by region)
0.9.5 - 2025-12-22
- Icon Update: Replaced icon with richer design
0.9.4 - 2025-12-22
- Language Selector Update: Expanded language flags in README header
- Now shows all 17 VSCode-supported languages as clickable flags
- Changed from 8 flags to 17 flags (🇺🇸 🇯🇵 🇨🇳 🇹🇼 🇰🇷 🇩🇪 🇫🇷 🇪🇸 🇧🇷 🇮🇹 🇷🇺 🇵🇱 🇹🇷 🇨🇿 🇭🇺 🇧🇬 🇺🇦)
- Updated "+20 more" to "+8 more" (remaining minority/joke languages)
- Applied to all 26 README files
- LANGUAGES.md: Fixed broken links
- CONTRIBUTING.md link now points to correct location
- UNESCO Atlas link updated to working PDF document
0.9.3 - 2025-12-22
- i18n README Update (Phase 3): All 24 translated READMEs updated to match English v0.9.2
- Added EMU (Enterprise Managed User) mention in Quick Start
- Added
servicefield to all configuration examples - Changed OSS example from GitHub to Bitbucket (GitHub ToS compliance)
- Added "Display Limitations" section
- Added
includeIconInGitConfigsetting documentation - Added "Git Config Layer Structure" section
- Added "When Switching Identities" section
- Added "How Submodule Propagation Works" section
- Added troubleshooting: name field shell metacharacters error
- Added troubleshooting: settings cache issue (machine restart)
- Added troubleshooting: Settings Sync overwriting defaults
- Icon Update: Replaced icon.png with high-resolution version (270KB)
0.9.2 - 2025-12-21
- English README: Comprehensive documentation update
- Added EMU (Enterprise Managed User) mention in Quick Start
- Added
servicefield to all configuration examples - Changed OSS example from GitHub to Bitbucket (GitHub ToS compliance)
- Added "Display Limitations" section (status bar ~25 chars, single emoji)
- Added
includeIconInGitConfigsetting documentation with behavior table - Added "Git Config Layer Structure" section explaining --local writes
- Added "When Switching Identities" section with step-by-step flow
- Added "How Submodule Propagation Works" section
- Added troubleshooting: name field shell metacharacters error
- Added troubleshooting: settings cache issue (machine restart)
- Added troubleshooting: Settings Sync overwriting defaults
- Fixed bitbucket icon to bucket emoji (matches Bitbucket logo)
- Fixed freelance service from GitHub to GitLab
0.9.1 - 2025-12-21
- Naming Consistency: Unified old name "Git Identity Switcher" to "Git ID Switcher" across all source files
- Updated console logs, comments, and error message prefixes in source code
- Updated all 17 localization files (l10n/bundle.l10n*.json)
- CHANGELOG entries remain as historical record
0.8.1 - 2025-12-21
- Default Config: Added
servicefield to example identity template- New users can now discover the
serviceproperty in settings
- New users can now discover the
0.8.0 - 2025-12-21
- New
serviceField: Separate hosting service from identity name (ISSUE-00021)namenow contains pure identity name (e.g., "Alex")servicespecifies hosting provider (e.g., "GitHub", "GitLab", "Bitbucket")- QuickPick displays combined label: "Alex - GitHub"
- Git author uses only
name: "Alex alex@example.com" - Backward compatible:
serviceis optional
- Display Context Limits: Smart truncation for different UI contexts (ISSUE-00022)
- Status bar: 25 characters max with "..." suffix
- QuickPick: Uses VS Code's native truncation
- Tooltip: No limit (full Markdown support)
- Grapheme-Based Icon Validation: Single visible character enforcement
- Uses
Intl.SegmenterAPI for accurate emoji counting - Composed emoji (e.g., family emoji) counts as 1 character
- Prevents multiple emoji in icon field
- Uses
- Icon validation uses grapheme clusters instead of byte length
- Status bar text automatically truncates long names
0.7.1 - 2025-12-19
- Marketplace Keywords: Added i18n/l10n related keywords for better discoverability
i18n,l10n,localization,multilingual,internationalization
0.7.0 - 2025-12-19
- Tier 3 Documentation i18n: Added 9 additional README translations
- Minority Languages: Hawaiian (haw), Ainu (ain), Ryukyuan (ryu)
- Each with language-specific disclaimer and cultural resource links
- Selection based on personal connections, not comprehensiveness
- Joke Languages: Pirate (x-pirate), LOLcat (x-lolcat), Shakespearean (x-shakespeare)
- Fun themed identity examples (captains, famous cats, Shakespeare characters)
- Constructed Languages: Klingon (tlh), Toki Pona (tok), Esperanto (eo)
- Vocabulary reference tables for language learners
- Minority Languages: Hawaiian (haw), Ainu (ain), Ryukyuan (ryu)
- LANGUAGES.md: Updated with "Why only three minority languages?" section
- Explains selection rationale based on personal experiences
- Links to language revitalization resources
0.6.1 - 2025-12-18
- Allow semicolon in identity names: Names like "Null;Variant" are now valid
- Semicolon was incorrectly flagged as a "shell metacharacter"
- Since we use
execFile()(no shell), semicolon poses no security risk - Other shell metacharacters (
$, backticks,|, etc.) remain blocked
0.6.0 - 2025-12-18
- Tier 2 Documentation i18n: Full README translations for all 17 VSCode languages
- Asian languages: 简体中文 (zh-CN), 繁體中文 (zh-TW), 한국어 (ko)
- European languages: Deutsch (de), Français (fr), Español (es), Português Brasil (pt-BR), Italiano (it), Русский (ru)
- Additional languages: Polski (pl), Türkçe (tr), Čeština (cs), Magyar (hu), Български (bg), Українська (uk)
- LANGUAGES.md: Added comprehensive language support overview document
- Documents Tier 1 (VSCode UI) and Tier 2 (README) language support
- Includes planned minority languages (Hawaiian, Māori, Welsh, etc.)
- Contribution guidelines for translators
- Localized Example Names: All README translations use culturally appropriate gender-neutral names
- Chinese: 陳雨 (zh-TW), 张雨 (zh-CN)
- Korean: 김민
- European languages: Alex + locale-specific surname
0.5.6 - 2025-12-18
- Marketplace Description Update: Aligned extension descriptions with README
- Japanese: Changed "Git ID" terminology to "プロフィール" to match README
- English/Japanese: Added "with one click" / "ワンクリックで" to descriptions
0.5.5 - 2025-12-18
- README Improvements: Use gender-neutral example names
- English: Alex Smith (Alex = Alexander/Alexandra)
- Japanese: Kaoru Takahashi (Kaoru is unisex)
- Shows consideration for gender diversity
0.5.4 - 2025-12-18
- Homepage Link Improvement: Added
#readmeanchor to homepage URL- Marketplace link now jumps directly to README section
- Avoids scrolling past l10n files in monorepo directory listing
0.5.3 - 2025-12-18
- Marketplace Homepage Link: Added
homepagefield in package.json- VSCode Marketplace now links to the extension's subdirectory in the monorepo
- Provides direct access to extension-specific README and documentation
0.5.2 - 2025-12-18
- Welcome Notification: Show localized welcome message on first run
- Detects example-only identity configuration
- Offers "Open Settings" button to guide users
- Supports all 17 languages
0.5.1 - 2025-12-18
- Better First-Run Experience: Added default example identity configuration
- New installations now show a complete template identity instead of "?"
- All available properties (id, icon, name, email, description, sshKeyPath, sshHost, gpgKeyId) are shown
- Uses RFC 2606 reserved domain (
example.com) for safe placeholder email
0.5.0 - 2025-12-18
- Full Internationalization: Added 15 new language translations for VSCode UI
- Asian languages: 简体中文 (zh-CN), 繁體中文 (zh-TW), 한국어 (ko)
- European languages: Deutsch (de), Français (fr), Español (es), Português Brasil (pt-BR), Italiano (it), Русский (ru)
- Additional languages: Polski (pl), Türkçe (tr), Čeština (cs), Magyar (hu), Български (bg), Українська (uk)
- All extension metadata, commands, settings, and runtime UI strings are now localized
- Total supported languages: 17 (including existing English and Japanese)
0.4.5 - 2025-12-18
- CRITICAL: Fixed Command Injection Vulnerability (CVE pending)
- Migrated all
exec()calls toexecFile()to prevent shell interpretation - User-provided values (name, email, SSH paths, GPG keys) are now safely passed as array arguments
- Added input validation layer with dangerous character pattern detection
- Added command allowlist for defense-in-depth security
- Migrated all
- Security Audit Logging: New Output Channel "Git ID Switcher Security"
- Logs identity switches, SSH key operations, validation failures, and blocked commands
- Accessible via VS Code Output panel
- Input Validation: Comprehensive validation for all identity fields
- Rejects shell metacharacters, newlines, and escape sequences
- Validates email format, SSH paths, GPG key IDs
- Command Allowlist: Only permitted git/ssh commands can be executed
- CI/CD Security Checks: Added GitHub Actions workflow for security scanning
- npm audit on every push
- CodeQL static analysis
- Dangerous pattern detection
- All command execution now uses
secureExec()wrapper with timeout and buffer limits - Identity validation is enforced before any git config changes
- Remote URL auto-switching based on identity
0.4.4 - 2025-12-17
- Localization Support: Extension is now fully localized
- Added Japanese (日本語) translation
- Supports localized commands, settings, notifications, and status bar messages
- Documentation: Added "Why this extension?" section to clarify unique value proposition
- Documentation: Added "Advanced: Submodule Support" section to explain how identity propagation works
0.4.3 - 2025-12-11
- Submodule Fixes: Improved reliability of recursive submodule identity application
- Improved Discoverability: Expanded keywords for better Marketplace search
- Added action verbs: switch, change, toggle, manage
- Added common terms: profile, account, workspace, github, gitlab
- Added technical terms: keygen, ssh-agent, ssh-key, gpg-key, credential
- Updated Description: More descriptive text mentioning GitHub/GitLab accounts
0.4.0 - 2025-12-11
- Demo Screenshot: Added identity picker screenshot to README and repository
- Repository README now showcases Git ID Switcher with visual preview
0.3.1 - 2025-12-11
- README Improvements: Complete rewrite for first-time users
- Added "Quick Start (Minimal Setup)" section (id/name/email only)
- SSH and GPG are now clearly documented as optional features
- Progressive disclosure: minimal setup to advanced configuration
- Added "Full Example: 7 Accounts" with mixed SSH/GPG configurations
- Expanded "Configuration Reference" with complete property table
- Improved "Troubleshooting" section
0.3.0 - 2025-12-11
- Submodule Support: Identity config automatically propagates to Git submodules
- New setting:
gitIdSwitcher.applyToSubmodules(default: true) - New setting:
gitIdSwitcher.submoduleDepth(default: 1, max: 5)
- New setting:
- Identity Description: New
descriptionproperty for identities- Displayed in quick pick and status bar tooltip
- SSH Host Alias: New
sshHostproperty for multi-account SSH setups- Displayed in status bar tooltip
- Enhanced Tooltips: Rich Markdown tooltips with all identity details
- Quick pick now shows description alongside email
- Status bar tooltip shows description, SSH host, and all configured details
0.2.0 - 2025-12-11
- Settings keys renamed:
gitIdentitySwitcher.*→gitIdSwitcher.*- Users must update their
settings.jsonto use the new keys
- Users must update their
- Command IDs renamed:
git-id-switcher.*→git-id-switcher.*- Keyboard shortcuts need to be updated
- Emoji icon display in status bar (uses
iconproperty from identity config) - Default emoji icons for status states:
👤- Default user icon❓- No identity selected⏳- Switching in progress❌- Error state
- Command titles shortened:
Git Identity:→Git ID:
- In
settings.json, rename:gitIdentitySwitcher.identities→gitIdSwitcher.identitiesgitIdentitySwitcher.defaultIdentity→gitIdSwitcher.defaultIdentitygitIdentitySwitcher.autoSwitchSshKey→gitIdSwitcher.autoSwitchSshKeygitIdentitySwitcher.showNotifications→gitIdSwitcher.showNotifications
- Update any keyboard shortcuts referencing
git-id-switcher.*
0.1.1 - 2025-12-11
- Display name changed from "Git Identity Switcher" to "Git ID Switcher" for consistency
0.1.0 - 2025-12-11
- Initial release
- Identity switching via status bar quick pick
- Git config (user.name, user.email) auto-configuration
- SSH key switching via ssh-agent
- GPG signing key configuration
- Cross-platform support (macOS, Linux, Windows)
- Settings-based identity configuration
- Status bar showing current identity
- Workspace-level identity persistence
- Automatic identity detection from Git config
- Automatic identity detection from ssh-agent
gitIdentitySwitcher.identities: List of identitiesgitIdentitySwitcher.defaultIdentity: Default identity IDgitIdentitySwitcher.autoSwitchSshKey: Auto SSH key switchinggitIdentitySwitcher.showNotifications: Show switch notifications