This release strengthens security with remote config sandboxing and a cleaner dependency footprint, while delivering significant performance improvements across the core pipeline!
What's New π
Prevent Remote Config File Execution (#1292)
Previously, when packing a remote repository, Repomix would automatically load and execute any repomix.config.ts or repomix.config.js found in the repository. Since TypeScript/JavaScript configs are executed via jiti, a malicious repository could embed arbitrary code in its config file, leading to remote code execution (RCE) on the user's machine.
Remote config files are now skipped by default. If you trust a remote repository and want to use its config, you can opt in with the new --remote-trust-config flag:
# Remote config is now safely ignored by default
repomix --remote https://github.com/user/repo
# Explicitly trust the remote config
repomix --remote https://github.com/user/repo --remote-trust-configImprovements β‘
Replace fast-xml-parser with fast-xml-builder (#1253, #1219)
Repomix only uses XMLBuilder for output generation, not the XML parser. Switched to fast-xml-builder directly to eliminate recurring CVEs from the parser side, bringing npm audit to 0 vulnerabilities and reducing dependency size from 831KB to 176KB.
Performance Optimizations (#1234, #1235, #1255)
Several performance improvements across the core pipeline:
- File tree generation: Map-based O(1) child lookups and single-pass sorting β
generateFileTree~82% faster,treeToString~70% faster on 10,000 files - Path sorting: Decorate-sort-undecorate pattern with pre-computed
path.split()β 6-7x faster.Set.has()forfilterOutUntrustedFilesβ up to 30x faster at 10K files - Compile cache propagation: V8 compile cache (introduced in v1.12.0) now extends to Tinypool worker processes via environment variables, not just the main process
Fix Closure Memory Leaks (#1233)
Replaced arrow functions with .bind() in setTimeout/setInterval callbacks to prevent closures from capturing scope and retaining references to large objects. Added proper dispose() methods and .unref() calls for cleanup.
Website Enhancements π
Turkish Language Support (#1194)
Added Turkish (Türkçe) translation to repomix.com, based on Google Analytics data showing strong engagement from Turkish-speaking users.
LLMO Optimization with JSON-LD and llms.txt (#1236)
Added JSON-LD structured data (schema.org WebSite and SoftwareApplication markup) and generated llms.txt/llms-full.txt for LLM-friendly documentation discovery.
How to Update
npm update -g repomixAs always, if you have any issues or suggestions, please let us know on GitHub issues or our Discord community.