actions/dependency-review-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,957 Commits 1 Branch 0 Tags
main
Commit Graph

698 Commits

Author SHA1 Message Date
Eric Sorenson
d02fa39f79 Updates for release 4.9.0 
- Bumps dependencies to fix vulnerabilities, supersedes dependabot PRs
- New version in package.json
- Slight correction to the release process in CONTRIBUTING.md
- Rebuilds dist/ packaged files

Closes #1062 #1063 #1028 #972 #971 #970
 2026-03-02 16:15:13 -08:00
Chad Bentz
e404798400 Merge upstream actions/dependency-review-action main 
Syncs fork with upstream, resolving conflicts in package.json
(keeping semver + upgrading spdx-expression-parse to ^4.0.0),
regenerating package-lock.json and dist/ folder.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-02-27 14:04:27 -05:00
Eric Sorenson
58be34364d Updating package versions for 4.8.3 2026-02-18 21:45:59 -08:00
dependabot[bot]
8b766562f0 Bump spdx-expression-parse in the spdx-licenses group across 1 directory 
Bumps the spdx-licenses group with 1 update in the / directory: [spdx-expression-parse](https://github.com/jslicense/spdx-expression-parse.js).


Updates `spdx-expression-parse` from 3.0.1 to 4.0.0
- [Commits](https://github.com/jslicense/spdx-expression-parse.js/compare/v3.0.1...v4.0.0)

---
updated-dependencies:
- dependency-name: spdx-expression-parse
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: spdx-licenses
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-19 05:22:14 +00:00
dependabot[bot]
b379e2e05f Bump fast-xml-parser from 5.3.5 to 5.3.6 
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.5 to 5.3.6.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.5...v5.3.6)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.3.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-18 05:07:50 +00:00
dependabot[bot]
a7c7f3b9b1 Bump fast-xml-parser from 5.3.3 to 5.3.5 
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.3 to 5.3.5.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.3...v5.3.5)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.3.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-11 19:21:05 +00:00
Copilot
ee66ea100d Implement review fixes: semver library, scoping, case-insensitive matching, error logging, and configurable fail behavior (#7) 
* Initial plan

* Implement PR review comment fixes: semver library, error handling, case-insensitive matching, and rows scoping

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix formatting and rebuild dist folder

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix fail-closed logic and remove redundant @types/semver

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Apply review feedback: fix empty range handling, add trimming, implement range check caching

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Apply review feedback: align fail-closed behavior for empty version, fix TypeScript typing, normalize cache keys

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix linter errors, optimize cache keys, and improve trimming logic

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Add fail-open option for patch selection and optimize with preTrimmed flag

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Enforce fail-closed with explicit validation, fix debug messages, normalize cache keys

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix unreachable ternary in debug message and eliminate duplicate trim operation

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Normalize eco comparison and add preNormalized option to avoid duplicate range conversion

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Remove unnecessary cache, fix function signature, and correct semver comment

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Make includePrerelease conditional based on version type to preserve range semantics

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Improve debug message to report both invalid version and range when applicable

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Convert to JSDoc, add explicit type annotation, and remove redundant initializer

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
 2026-02-08 16:05:04 -05:00
Copilot
2af9bac14d Add patched version column to vulnerability summary with multi-range support (#5) 
* Initial plan

* Initial plan for adding patched versions to vulnerability summary

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Add patched version column to vulnerability summary table

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Optimize API calls to use Set and Promise.all for better performance

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Remove type assertions and optimize ecosystem lookups with normalization

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Extract patch version type checking into helper function for clarity

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Support multiple version ranges per package in advisory lookup

Handle scenarios where the same package has multiple vulnerable version ranges
with different patched versions (e.g., GHSA-gwq6-fmvp-qp68 with .NET packages).

- Store all vulnerability entries with version ranges, not just one per ecosystem
- Implement version range matching to select correct patch version
- Match package by ecosystem, name, AND version range
- Add comprehensive test for multi-range scenario

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix first_patched_version extraction to handle string format

The GitHub Advisory API returns first_patched_version as a simple string
(e.g., "112.0.0"), not an object with an identifier field. Updated
extractPatchVersionId to handle string format primarily while maintaining
backward compatibility with object format.

- Fixed extractPatchVersionId to check for string first
- Updated test mocks to match actual API response format
- Added specific test for RestSharp GHSA-4rr6-2v9v-wcpc case
- Verified with actual API responses from multiple advisories

Fixes issue where patched versions were showing as "N/A" instead of
the actual version number.

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Rebuild dist with patched version fix

The previous fix to extractPatchVersionId wasn't deployed because the dist/
folder (compiled JavaScript) wasn't rebuilt. This commit rebuilds and packages
the action with npm run build && npm run package to include the fix.

Changes in dist/:
- Updated extractPatchVersionId to handle string format first
- Includes all async vulnerability summary logic with API calls
- Properly extracts patched versions from GitHub Advisory API

This should resolve the issue where patched versions showed as "N/A" in
actual GitHub Actions runs.

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Add comprehensive debug logging for patch version lookup

Added detailed debug logging to help troubleshoot patch version issues:
- Log when fetching advisory data from API
- Log number of vulnerability entries found
- Log each patch info entry added with details
- Log when no patch version is found
- Log during lookup phase with package details
- Log when patch version is found vs not found
- Log available entries when no match is found

This will make it much easier to diagnose issues in GitHub Actions debug mode.

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
 2026-02-06 18:12:20 -05:00
ahmed3lmallah
d45151f498 Addressing vulnerabilities 2026-01-05 15:39:34 -08:00
Barry Gordon
774d14bf50 Merge pull request #1020 from actions/dependabot/npm_and_yarn/multi-75e6bc5210 
Bump js-yaml
 2025-11-28 12:56:19 +00:00
Barry Gordon
ad048f729f Upgrade glob to a fixed version 2025-11-27 18:26:19 +00:00
dependabot[bot]
14edcb1b2a Bump js-yaml 
Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 3.14.2 and updates ancestor dependency . These dependencies need to be updated together.


Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-11-17 22:03:38 +00:00
Kevin Dangoor
70cb25ec56 4.8.2 release 2025-11-10 14:44:24 -05:00
Dan Hardej
19f9360983 Update package-lock.json 2025-11-08 07:15:17 +08:00
Eric Sorenson
45529485b5 Bump version for 4.8.1 release 2025-10-10 12:55:32 -07:00
Barry Gordon
1688b745f3 Bump to a 4.8.0 2025-09-26 15:45:28 +01:00
Barry Gordon
eacde7836e Update version 2025-09-26 14:42:22 +01:00
Matt Mencel
e0cedc52dc feat: add large summary handling with artifact upload 
When the dependency review summary exceeds GitHub's size limit (1024k), upload it as an artifact and provide a link in the comment. This ensures users can still access the full review details even when the summary is too large to display directly.
 2025-09-26 12:55:14 +01:00
Claire Song
595b5aeba7 Update package version (#975) 2025-08-26 13:00:34 -07:00
Claire Song
fc5fd661aa Claire153/fix spamming mentioned issue (#974) 
* Keep the issue number and remove the url to avoid linking every PR running the action to that issue
 2025-08-26 12:46:02 -07:00
Ashely Tenesaca
8d420b827c Merge branch 'main' into dependabot/npm_and_yarn/multi-c22e25d29b 2025-08-20 17:28:38 -04:00
dependabot[bot]
74c8179d39 Bump brace-expansion 
Bumps  and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together.

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12)

Updates `brace-expansion` from 2.0.1 to 2.0.2
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
- dependency-name: brace-expansion
  dependency-version: 2.0.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-18 22:33:26 +00:00
Claire Song
bc41886e18 Cut 4.7.2 version release (#964) 
* Cut 4.7.2 version release

* Bump dependency minor versions
 2025-08-18 11:17:54 -07:00
dependabot[bot]
fac3d41a58 Bump the minor-updates group across 1 directory with 5 updates (#956) 
Bumps the minor-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.0` | `29.4.1` |
| [yaml](https://github.com/eemeli/yaml) | `2.8.0` | `2.8.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.7` | `20.19.10` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.1` | `5.5.4` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.2` |



Updates `ts-jest` from 29.4.0 to 29.4.1
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.4.0...v29.4.1)

Updates `yaml` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.8.0...v2.8.1)

Updates `@types/node` from 20.19.7 to 20.19.10
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.5.1 to 5.5.4
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.5.1...v5.5.4)

Updates `typescript` from 5.8.3 to 5.9.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.8.3...v5.9.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-version: 29.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-08-18 10:31:31 -07:00
dependabot[bot]
87052cdc7b Bump the minor-updates group across 1 directory with 10 updates 
Bumps the minor-updates group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.10.1` | `1.11.1` |
| [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `6.0.0` | `6.0.1` |
| [got](https://github.com/sindresorhus/got) | `14.4.5` | `14.4.7` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.2.5` | `29.4.0` |
| [yaml](https://github.com/eemeli/yaml) | `2.3.4` | `2.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.16.0` | `20.19.7` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.1.3` | `5.5.1` |
| [nodemon](https://github.com/remy/nodemon) | `3.1.9` | `3.1.10` |
| [prettier](https://github.com/prettier/prettier) | `3.2.5` | `3.6.2` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.4.5` | `5.8.3` |



Updates `@actions/core` from 1.10.1 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/github` from 6.0.0 to 6.0.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

Updates `got` from 14.4.5 to 14.4.7
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.5...v14.4.7)

Updates `ts-jest` from 29.2.5 to 29.4.0
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.2.5...v29.4.0)

Updates `yaml` from 2.3.4 to 2.8.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.4...v2.8.0)

Updates `@types/node` from 20.16.0 to 20.19.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.1.3 to 5.5.1
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.3...v5.5.1)

Updates `nodemon` from 3.1.9 to 3.1.10
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.9...v3.1.10)

Updates `prettier` from 3.2.5 to 3.6.2
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.5...3.6.2)

Updates `typescript` from 5.4.5 to 5.8.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.4.5...v5.8.3)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@actions/github"
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: got
  dependency-version: 14.4.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: ts-jest
  dependency-version: 29.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: nodemon
  dependency-version: 3.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: prettier
  dependency-version: 3.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.8.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-22 13:56:08 +00:00
dependabot[bot]
733ef0ab01 Bump undici from 5.28.5 to 5.29.0 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-15 16:32:05 +00:00
Kevin Dangoor
9af0caf0e5 Bump version number for 4.7.1 2025-05-13 11:20:20 -04:00
Kevin Dangoor
0e9e935cc8 Version 4.7.0 release 
Also add a note about the new `LicenseRef-clearlydefined-OTHER`
to the README.
 2025-05-08 13:58:56 -04:00
Kevin Dangoor
2013ccccfe Update type definition for spdx-satisfies 
I have a PR in with DefinitelyTyped, but this change should allow CI
to pass while that goes through the process.
 2025-05-06 11:02:54 -04:00
Kevin Dangoor
3a2b68706a Handle complex licenses (e.g. X AND Y) 
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
 2025-05-05 19:06:50 -04:00
Barry Gordon
479b69732e Prepare 4.6.0 2025-04-01 12:22:08 +01:00
Barry Gordon
51699b6461 Merge pull request #855 from ailox/ailox/fix/invalid-new-licenses 
Update transitive dependency spdx-license-ids
 2025-04-01 11:33:12 +01:00
Roman Iakovlev
d630451aa0 Pin @octokit/types version for compatibility 2025-03-13 14:34:23 +00:00
dependabot[bot]
bc858b5649 Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 
Bumps [@octokit/plugin-paginate-rest](https://github.com/octokit/plugin-paginate-rest.js) from 9.1.5 to 9.2.2.
- [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases)
- [Commits](https://github.com/octokit/plugin-paginate-rest.js/compare/v9.1.5...v9.2.2)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-paginate-rest"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-03-12 16:53:26 +00:00
dependabot[bot]
7bce095f93 Bump @babel/helpers from 7.23.2 to 7.26.10 
Bumps [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) from 7.23.2 to 7.26.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-helpers)

---
updated-dependencies:
- dependency-name: "@babel/helpers"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-03-12 11:42:46 +00:00
Roman Iakovlev
cdee0bc8c3 Bump octokit and related dependencies 2025-03-12 10:57:15 +00:00
dependabot[bot]
2c5ec1eea8 Bump esbuild from 0.19.5 to 0.25.0 
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.19.5 to 0.25.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.19.5...v0.25.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-26 20:54:18 +00:00
dependabot[bot]
6ec8e13b9a Bump undici from 5.28.4 to 5.28.5 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.4 to 5.28.5.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-24 17:39:09 +00:00
Ahmed ElMallah
ef281d4e24 Updating multiple dependency versions 2025-01-23 21:07:39 +00:00
Paul Scheunemann
2caab057ed Update transitive dependency spdx-license-ids 2024-12-06 16:36:10 +01:00
Ahmed ElMallah
eee97d8b03 incrementing project version 2024-11-20 21:41:43 +00:00
Ahmed ElMallah
9192be9c72 Merge pull request #850 from actions/ahmed3lmallah/adressing-CVE-2024-21538 
Overriding the cross-spawn dependency to use a safe version
 2024-11-19 14:42:32 -08:00
Ahmed ElMallah
2fc8e23b12 Using cross-spawn safe version 2024-11-19 22:26:34 +00:00
Ahmed ElMallah
b02ea3a88b Merge pull request #849 from actions/dependabot/npm_and_yarn/vercel/ncc-0.38.3 
Bump @vercel/ncc from 0.38.1 to 0.38.3
 2024-11-18 15:14:46 -08:00
dependabot[bot]
591cbf9044 Bump @vercel/ncc from 0.38.1 to 0.38.3 
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.38.1 to 0.38.3.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.38.1...0.38.3)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-18 01:28:26 +00:00
dependabot[bot]
c0a5e20c51 Bump nodemon from 3.1.0 to 3.1.7 
Bumps [nodemon](https://github.com/remy/nodemon) from 3.1.0 to 3.1.7.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.0...v3.1.7)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-04 01:59:13 +00:00
dependabot[bot]
d8ae44e2a0 Bump got from 14.4.2 to 14.4.3 
Bumps [got](https://github.com/sindresorhus/got) from 14.4.2 to 14.4.3.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.2...v14.4.3)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-28 01:10:40 +00:00
ahmed3lmallah
d92f08b3ff Bump eslint-plugin-jest and ts-jest 2024-10-21 15:16:32 -07:00
Barry Gordon
3e334b7ca7 Merge pull request #822 from actions/dependabot/npm_and_yarn/got-14.4.2 
Bump got from 14.4.1 to 14.4.2
 2024-09-30 16:17:18 +01:00
Eli Reisman
8179e6abd6 upgrade micromatch within given dependent parent pkg bounds but past security vuln 2024-09-16 09:53:44 -07:00