github yamadashy/repomix v1.14.1
on GitHub

11 hours ago

This release patches two security advisories and continues the performance work from v1.14.0 with a persistent token-count cache, plus expanded Dart parsing and Nix support. Updating to 1.14.1 is recommended for all users.

Security 🔒

Argument Injection via --remote-branch (GHSA-9mm9-rqhj-j5mx)

A crafted --remote-branch value could be passed to git as an option rather than a ref, enabling argument injection (CWE-88, High). Repomix now validates refs and inserts --end-of-options before the ref in git fetch and git checkout, so a branch value can never be interpreted as a git option.

Special thanks to @kakashi-kx (Abhijith S) for the responsible disclosure! 🎉

MCP attach_packed_output Secret-Scan Bypass (GHSA-hwpp-h97w-2h3j)

The MCP attach_packed_output flow could register an arbitrary local file and read it back through read_repomix_output / grep_repomix_output without the secret scan that file_system_read_file applies (CWE-200, Moderate). Those tools now run the same secret scan on attach-sourced files before returning content, closing the bypass.

Special thanks to @dodge1218 for the responsible disclosure! 🎉

Improvements ⚡

Expanded Dart Code Parsing (#1515)

The Dart Tree-sitter query now captures mixins, typedefs, getters, setters, and factory constructors. Compressed output (--compress) for Dart files now preserves more of the file's structure.

Content-Addressed Token-Count Disk Cache (#1562, #1580)

Token counts are now cached on disk, keyed by content hash. Re-packing a repository reuses counts for unchanged files instead of re-tokenizing them, and the eager metrics warm-up is skipped when the cache is already populated — speeding up repeated runs on the same repository.

Faster Binary Detection (#1542)

Repomix now attempts a UTF-8 decode before the binary-file check, avoiding a pathological slow path in the protobuf detector on certain inputs.

Node.js Support Update (#1556)

Node.js 20 is no longer supported and Node.js 26 is now supported. Repomix requires Node.js 22 or later.

Available on nixpkgs

Repomix is available in nixpkgs, so Nix users can install it directly: 

nix-shell -p repomix

Development 🛠️

Nix Flake with Development Shell (#1525)

Added a flake.nix providing a development shell (Node.js 24 + Git) for contributors using Nix: 

nix develop

How to Update

npm update -g repomix

As always, if you have any issues or suggestions, please let us know on GitHub issues or our Discord community.

Check out latest releases or
releases around yamadashy/repomix v1.14.1

Don't miss a new repomix release

NewReleases is sending notifications on new releases.

Get notifications