dependency-review-action

Author	SHA1	Message	Date
Eric Sorenson	f5b971718e	Merge pull request #1067 from ahpook/ahpook/custom-instructions Some checks failed CodeQL / Analyze (actions) (push) Has been cancelled Details CodeQL / Analyze (javascript-typescript) (push) Has been cancelled Details CodeQL / Analyze (ruby) (push) Has been cancelled Details Close stale PRs and Issues / stale (push) Has been cancelled Details Add .github/copilot-instructions.md for Copilot coding agent	2026-03-06 14:41:37 -08:00
Eric Sorenson	f51df6d455	Updates from code review	2026-03-05 20:39:09 -08:00
Eric Sorenson	cffae74507	Add .github/copilot-instructions.md for Copilot coding agent Add instructions file to help Copilot coding agent work efficiently with this repository. Includes build/validation commands, project layout, CI checks, style rules, testing patterns, and important notes about the codebase conventions.	2026-03-05 18:46:42 -08:00
Eric Sorenson	2031cfc080	Merge pull request #1064 from actions/ahpook/release-4.9.0 Updates for release 4.9.0	2026-03-03 14:08:16 -08:00
Eric Sorenson	d02fa39f79	Updates for release 4.9.0 - Bumps dependencies to fix vulnerabilities, supersedes dependabot PRs - New version in package.json - Slight correction to the release process in CONTRIBUTING.md - Rebuilds dist/ packaged files Closes #1062 #1063 #1028 #972 #971 #970	2026-03-02 16:15:13 -08:00
Eric Sorenson	4038a34c4b	Merge pull request #1021 from actions/dependabot/github_actions/actions/checkout-6 Bump actions/checkout from 4 to 6	2026-03-02 16:00:21 -08:00
Eric Sorenson	a632b8386b	Merge pull request #1058 from actions/dependabot/github_actions/actions/stale-10.2.0 Bump actions/stale from 10.1.0 to 10.2.0	2026-03-02 15:59:31 -08:00
Eric Sorenson	57a3d46a7b	Merge pull request #1060 from jantiebot/main fix: only get scorecard levels if user wants to see the OpenSSF scorecard	2026-02-27 15:05:18 -08:00
Eric Sorenson	5ecdc4b578	Merge pull request #1045 from forks-felickz/main Feat: Add `Patched Version` to `Vulnerabilities` summary	2026-02-27 15:03:52 -08:00
Chad Bentz	e8c2f9a12c	fix: remove inferrable type annotation to pass eslint	2026-02-27 22:58:04 +00:00
Chad Bentz	0e129e113c	Prettier - Refactor summary table rendering for improved readability	2026-02-27 22:30:03 +00:00
Chad Bentz	aa60746a92	Add 'show-patched-versions' option to configuration and update summary handling - Introduced 'show-patched-versions' input in action.yml to control visibility of patched versions in vulnerability summaries. - Updated default configuration and related functions to handle the new option. - Enhanced tests to verify behavior with and without the patched version column.	2026-02-27 14:58:54 -05:00
Chad Bentz	e404798400	Merge upstream actions/dependency-review-action main Syncs fork with upstream, resolving conflicts in package.json (keeping semver + upgrading spdx-expression-parse to ^4.0.0), regenerating package-lock.json and dist/ folder. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-02-27 14:04:27 -05:00
jantiebot	24398f008e	chore: revert dist changes	2026-02-27 12:41:22 +01:00
jantiebot	7863651912	fix: only get scorecard levels if user wants to see the OpenSSF scorecard	2026-02-26 18:16:44 +01:00
dependabot[bot]	17d14c08d9	Bump actions/stale from 10.1.0 to 10.2.0 Bumps [actions/stale](https://github.com/actions/stale) from 10.1.0 to 10.2.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v10.1.0...v10.2.0) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-23 01:42:33 +00:00
Justin Holguín	dea54b4342	Merge pull request #1057 from actions/juxtin/case-sensitivity Make purl comparisons case insensitive	2026-02-20 14:09:58 -08:00
Justin Holguín	8cf743c0ea	Make purl comparisons case insensitive	2026-02-20 22:01:04 +00:00
Justin Holguín	b49f407d39	Merge pull request #1056 from actions/juxtin/fix-exclusion-match Compare normalized purls to account for encoding quirks	2026-02-20 10:27:39 -08:00
Justin Holguín	f68b94a696	Merge remote-tracking branch 'origin/main' into juxtin/fix-exclusion-match	2026-02-20 16:33:25 +00:00
Eric Sorenson	05fe457637	Merge pull request #1054 from actions/ahpook/release-4.8.3 Changes for Release 4.8.3	2026-02-19 17:25:10 -08:00
Justin Holguín	2ced98cbe8	Compare normalized purls to account for encoding quirks	2026-02-20 00:02:42 +00:00
Eric Sorenson	3a8496cb71	Update generated package files for v4.8.3	2026-02-18 21:56:46 -08:00
Eric Sorenson	0f22a01592	Update CONTRIBUTING for new release process Fixes some newline damage, grammatical errors, and includes new instructions for pushing a major version branch instead of force-pushing a tag.	2026-02-18 21:54:45 -08:00
Eric Sorenson	58be34364d	Updating package versions for 4.8.3	2026-02-18 21:45:59 -08:00
Eric Sorenson	9284e0c621	Merge pull request #931 from actions/dependabot/npm_and_yarn/spdx-licenses-208b55449f Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory	2026-02-18 21:31:42 -08:00
dependabot[bot]	8b766562f0	Bump spdx-expression-parse in the spdx-licenses group across 1 directory Bumps the spdx-licenses group with 1 update in the / directory: [spdx-expression-parse](https://github.com/jslicense/spdx-expression-parse.js). Updates `spdx-expression-parse` from 3.0.1 to 4.0.0 - [Commits](https://github.com/jslicense/spdx-expression-parse.js/compare/v3.0.1...v4.0.0) --- updated-dependencies: - dependency-name: spdx-expression-parse dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: spdx-licenses ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-19 05:22:14 +00:00
Eric Sorenson	43f5f029f5	Merge pull request #1052 from actions/juxtin/fix-long-summaries Properly truncate long summaries and catch errors	2026-02-18 21:18:45 -08:00
Eric Sorenson	f0033fc4d6	Merge pull request #1053 from actions/dependabot/npm_and_yarn/fast-xml-parser-5.3.6 Bump fast-xml-parser from 5.3.5 to 5.3.6	2026-02-18 08:49:06 -08:00
Copilot	a6c34d8785	Address review feedback: deterministic tests, cached normalization, simplified promisePool (#9 ) * Initial plan * Apply PR review comments: deterministic delays, cached normalization, simplified promisePool Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Improve comment clarity for ecoLower field Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>	2026-02-18 06:33:39 -05:00
dependabot[bot]	b379e2e05f	Bump fast-xml-parser from 5.3.5 to 5.3.6 Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.5 to 5.3.6. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.5...v5.3.6) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.3.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-18 05:07:50 +00:00
Justin Holguín	2e1cf54a50	Properly truncate long summaries and catch errors	2026-02-17 22:46:59 +00:00
Lewis Jones	68e9887ce6	Merge pull request #1050 from actions/dependabot/npm_and_yarn/fast-xml-parser-5.3.5 Bump fast-xml-parser from 5.3.3 to 5.3.5	2026-02-17 15:10:48 +00:00
dependabot[bot]	a7c7f3b9b1	Bump fast-xml-parser from 5.3.3 to 5.3.5 Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.3 to 5.3.5. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.3...v5.3.5) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.3.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-11 19:21:05 +00:00
Copilot	539c79be65	Implement review feedback: concurrency limiting, semver coercion, logging improvements, and test coverage (#8 ) * Initial plan * Implement PR review comments: concurrency limiting, semver coerce, improved logging, test fixes Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Fix promise pool race condition and remove .then() usage Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Add tests for semver coercion and promise pool concurrency, simplify Map to Set Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>	2026-02-09 14:28:09 -05:00
Copilot	ee66ea100d	Implement review fixes: semver library, scoping, case-insensitive matching, error logging, and configurable fail behavior (#7 ) * Initial plan * Implement PR review comment fixes: semver library, error handling, case-insensitive matching, and rows scoping Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Fix formatting and rebuild dist folder Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Fix fail-closed logic and remove redundant @types/semver Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Apply review feedback: fix empty range handling, add trimming, implement range check caching Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Apply review feedback: align fail-closed behavior for empty version, fix TypeScript typing, normalize cache keys Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Fix linter errors, optimize cache keys, and improve trimming logic Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Add fail-open option for patch selection and optimize with preTrimmed flag Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Enforce fail-closed with explicit validation, fix debug messages, normalize cache keys Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Fix unreachable ternary in debug message and eliminate duplicate trim operation Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Normalize eco comparison and add preNormalized option to avoid duplicate range conversion Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Remove unnecessary cache, fix function signature, and correct semver comment Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Make includePrerelease conditional based on version type to preserve range semantics Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Improve debug message to report both invalid version and range when applicable Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Convert to JSDoc, add explicit type annotation, and remove redundant initializer Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>	2026-02-08 16:05:04 -05:00
Copilot	2af9bac14d	Add patched version column to vulnerability summary with multi-range support (#5 ) * Initial plan * Initial plan for adding patched versions to vulnerability summary Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Add patched version column to vulnerability summary table Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Optimize API calls to use Set and Promise.all for better performance Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Remove type assertions and optimize ecosystem lookups with normalization Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Extract patch version type checking into helper function for clarity Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Support multiple version ranges per package in advisory lookup Handle scenarios where the same package has multiple vulnerable version ranges with different patched versions (e.g., GHSA-gwq6-fmvp-qp68 with .NET packages). - Store all vulnerability entries with version ranges, not just one per ecosystem - Implement version range matching to select correct patch version - Match package by ecosystem, name, AND version range - Add comprehensive test for multi-range scenario Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Fix first_patched_version extraction to handle string format The GitHub Advisory API returns first_patched_version as a simple string (e.g., "112.0.0"), not an object with an identifier field. Updated extractPatchVersionId to handle string format primarily while maintaining backward compatibility with object format. - Fixed extractPatchVersionId to check for string first - Updated test mocks to match actual API response format - Added specific test for RestSharp GHSA-4rr6-2v9v-wcpc case - Verified with actual API responses from multiple advisories Fixes issue where patched versions were showing as "N/A" instead of the actual version number. Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Rebuild dist with patched version fix The previous fix to extractPatchVersionId wasn't deployed because the dist/ folder (compiled JavaScript) wasn't rebuilt. This commit rebuilds and packages the action with npm run build && npm run package to include the fix. Changes in dist/: - Updated extractPatchVersionId to handle string format first - Includes all async vulnerability summary logic with API calls - Properly extracts patched versions from GitHub Advisory API This should resolve the issue where patched versions showed as "N/A" in actual GitHub Actions runs. Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Add comprehensive debug logging for patch version lookup Added detailed debug logging to help troubleshoot patch version issues: - Log when fetching advisory data from API - Log number of vulnerability entries found - Log each patch info entry added with details - Log when no patch version is found - Log during lookup phase with package details - Log when patch version is found vs not found - Log available entries when no match is found This will make it much easier to diagnose issues in GitHub Actions debug mode. Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>	2026-02-06 18:12:20 -05:00
Ahmed ElMallah	98884d411b	Merge pull request #1036 from actions/ae/vuln-fixes Addressing vulnerabilities	2026-01-06 08:12:33 -08:00
ahmed3lmallah	76bfce5cd7	optimize import	2026-01-05 15:50:21 -08:00
ahmed3lmallah	d45151f498	Addressing vulnerabilities	2026-01-05 15:39:34 -08:00
Barry Gordon	774d14bf50	Merge pull request #1020 from actions/dependabot/npm_and_yarn/multi-75e6bc5210 Bump js-yaml	2025-11-28 12:56:19 +00:00
Barry Gordon	20b998d4e2	Merge pull request #1024 from actions/brrygrdn/update-glob Upgrade glob to address a vulnerability	2025-11-28 11:46:08 +00:00
Barry Gordon	ad048f729f	Upgrade glob to a fixed version	2025-11-27 18:26:19 +00:00
dependabot[bot]	1d60e0d095	Bump actions/checkout from 4 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2025-11-27 18:20:43 +00:00
Barry Gordon	35ccfd2548	Merge pull request #1005 from actions/dependabot/github_actions/actions/setup-node-6 Bump actions/setup-node from 4 to 6	2025-11-27 18:19:46 +00:00
Barry Gordon	a2014a181b	Merge pull request #1003 from actions/dependabot/github_actions/github/codeql-action-4 Bump github/codeql-action from 3 to 4	2025-11-27 18:19:21 +00:00
Barry Gordon	1a0268586f	Merge pull request #995 from actions/dependabot/github_actions/actions/stale-10.1.0 Bump actions/stale from 9.1.0 to 10.1.0	2025-11-27 18:18:38 +00:00
dependabot[bot]	14edcb1b2a	Bump js-yaml Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 3.14.2 and updates ancestor dependency . These dependencies need to be updated together. Updates `js-yaml` from 3.14.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>	2025-11-17 22:03:38 +00:00
dependabot[bot]	805c0b2856	Bump actions/setup-node from 4 to 6 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2025-11-11 00:20:49 +00:00
Kevin Dangoor	125b995082	Merge pull request #1017 from actions/remove-non-working-workflow GitHub Actions can't push to our protected main	2025-11-10 19:16:56 -05:00

1 2 3 4 5 ...

1957 Commits