From 6e2bbef080eb6136edd21372037beaed4ebfaa77 Mon Sep 17 00:00:00 2001
From: Claire Song <108148841+claire153@users.noreply.github.com>
Date: Thu, 14 Aug 2025 14:25:52 +0000
Subject: [PATCH] Add deprecation warning, fix lint issues
---
README.md | 3 +--
__tests__/summary.test.ts | 21 ++++++++++++++++++---
src/summary.ts | 8 ++++++++
3 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index b0cf179..f1254d7 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,6 @@ The action is available for:
When the action runs, you can see the results on:
- The **job logs** page.
-
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
1. Then under "Jobs", click **dependency review**.
@@ -106,7 +105,7 @@ All configuration options are optional.
| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
-| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
+| `deny-licenses`\* | ⚠️ Deprecated and will be removed in a future version.
Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
diff --git a/__tests__/summary.test.ts b/__tests__/summary.test.ts
index 83d0f88..2d89f72 100644
--- a/__tests__/summary.test.ts
+++ b/__tests__/summary.test.ts
@@ -1,5 +1,5 @@
import {expect, jest, test} from '@jest/globals'
-import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
+import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import * as summary from '../src/summary'
import * as core from '@actions/core'
import {createTestChange} from './fixtures/create-test-change'
@@ -109,10 +109,25 @@ test('prints headline as h1', () => {
expect(text).toContain('Dependency Review
')
})
+test('adds deprecation warning for deny-licenses option', () => {
+ summary.addSummaryToSummary(
+ emptyChanges,
+ emptyInvalidLicenseChanges,
+ emptyChanges,
+ scorecard,
+ defaultConfig
+ )
+ const text = core.summary.stringify()
+
+ expect(text).toContain(
+ '⚠️ The deny-licenses option is deprecated and will be removed in a future version, use allow-licenses instead.'
+ )
+})
+
test('returns minimal summary formatted for posting as a PR comment', () => {
const OLD_ENV = process.env
- let changes: Changes = [
+ const changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'colors', version: '2.3.4'}),
createTestChange({name: '@foo/bar', version: '*'})
@@ -122,7 +137,7 @@ test('returns minimal summary formatted for posting as a PR comment', () => {
process.env.GITHUB_REPOSITORY = 'owner/repo'
process.env.GITHUB_RUN_ID = 'abc-123-xyz'
- let minSummary: string = summary.addSummaryToSummary(
+ const minSummary: string = summary.addSummaryToSummary(
changes,
emptyInvalidLicenseChanges,
emptyChanges,
diff --git a/src/summary.ts b/src/summary.ts
index d5ec053..e93d1cf 100644
--- a/src/summary.ts
+++ b/src/summary.ts
@@ -30,6 +30,8 @@ export function addSummaryToSummary(
core.summary.addHeading('Dependency Review', 1)
out.push('# Dependency Review')
+ addDenyListsDeprecationWarningToSummary()
+
if (
vulnerableChanges.length === 0 &&
licenseIssues === 0 &&
@@ -106,6 +108,12 @@ export function addSummaryToSummary(
return out.join('\n')
}
+function addDenyListsDeprecationWarningToSummary(): void {
+ core.summary.addRaw(
+ `${icons.warning} The deny-licenses option is deprecated and will be removed in a future version, use allow-licenses instead.
`
+ )
+}
+
function countScorecardWarnings(
scorecard: Scorecard,
config: ConfigurationOptions