actions/dependency-review-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,824 Commits 1 Branch 0 Tags
2bedf4a221c94de43894e690e432b09913640d67
Commit Graph

1824 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Roman Iakovlev
2bedf4a221 Update dist 2025-07-22 14:01:55 +00:00
dependabot[bot]
87052cdc7b Bump the minor-updates group across 1 directory with 10 updates 
Bumps the minor-updates group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.10.1` | `1.11.1` |
| [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `6.0.0` | `6.0.1` |
| [got](https://github.com/sindresorhus/got) | `14.4.5` | `14.4.7` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.2.5` | `29.4.0` |
| [yaml](https://github.com/eemeli/yaml) | `2.3.4` | `2.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.16.0` | `20.19.7` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.1.3` | `5.5.1` |
| [nodemon](https://github.com/remy/nodemon) | `3.1.9` | `3.1.10` |
| [prettier](https://github.com/prettier/prettier) | `3.2.5` | `3.6.2` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.4.5` | `5.8.3` |



Updates `@actions/core` from 1.10.1 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/github` from 6.0.0 to 6.0.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

Updates `got` from 14.4.5 to 14.4.7
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.5...v14.4.7)

Updates `ts-jest` from 29.2.5 to 29.4.0
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.2.5...v29.4.0)

Updates `yaml` from 2.3.4 to 2.8.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.4...v2.8.0)

Updates `@types/node` from 20.16.0 to 20.19.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.1.3 to 5.5.1
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.3...v5.5.1)

Updates `nodemon` from 3.1.9 to 3.1.10
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.9...v3.1.10)

Updates `prettier` from 3.2.5 to 3.6.2
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.5...3.6.2)

Updates `typescript` from 5.4.5 to 5.8.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.4.5...v5.8.3)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@actions/github"
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: got
  dependency-version: 14.4.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: ts-jest
  dependency-version: 29.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: nodemon
  dependency-version: 3.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: prettier
  dependency-version: 3.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.8.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-22 13:56:08 +00:00
Roman Iakovlev
47d790678f Merge pull request #934 from actions/dependabot/npm_and_yarn/undici-5.29.0 
Bump undici from 5.28.5 to 5.29.0
 2025-07-21 19:12:52 +02:00
Roman Iakovlev
1e946feb37 Update dist 2025-07-21 13:53:37 +00:00
Kevin Dangoor
8a1ad91c0a Merge pull request #945 from KyFaSt/patch-1 
Add Missing Languages to CodeQL Advanced Configuration
 2025-07-11 13:47:35 -04:00
Kylie Stradley
8296deda21 Add Missing Languages to CodeQL Advanced Configuration 2025-07-10 09:22:28 -04:00
dependabot[bot]
733ef0ab01 Bump undici from 5.28.5 to 5.29.0 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-15 16:32:05 +00:00
Kevin Dangoor
da24556b54 Merge pull request #933 from actions/dangoor/471-release 
Bump version number for 4.7.1
 2025-05-13 12:46:37 -04:00
Kevin Dangoor
9af0caf0e5 Bump version number for 4.7.1 2025-05-13 11:20:20 -04:00
Kevin Dangoor
d8f2df20d5 Merge pull request #932 from actions/907-disallow-expression 
Discard allow list entries that are not SPDX IDs
 2025-05-13 10:28:49 -04:00
Kevin Dangoor
6e9307a3d4 Discard allow list entries that are not SPDX IDs 
The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907
 2025-05-12 18:58:58 -04:00
Kevin Dangoor
8805179dc9 Merge pull request #930 from actions/889-allow-no-license 
Allowing dependencies works with no licenses
 2025-05-08 17:38:03 -04:00
Kevin Dangoor
014300b08c Update build 2025-05-08 17:19:56 -04:00
Kevin Dangoor
34486f306e Check namespaces when excluding license checks 
The `allow-dependencies-licenses` option was not checking the namespace
part of the PURL to make sure it matched.
 2025-05-08 17:17:08 -04:00
Kevin Dangoor
9b155d6432 Update build 2025-05-08 16:37:11 -04:00
Kevin Dangoor
f199659a6a Allowing dependencies works with no licenses 
When using the `allow-dependencies-licenses` option, the packages listed
there should be allowed even if they have no license. This wasn't
working because the filtering for allowed dependencies was done
specifically on the list of packages that had licenses, leaving a
separate list (unfiltered) for packages with no licenses. With this
change, we filter out any changes for packages that have been allowed
_before_ we retrieve licenses.

Fixes #889
 2025-05-08 16:31:46 -04:00
Kevin Dangoor
38ecb5b593 Merge pull request #929 from actions/dangoor/4.7-release 
Version 4.7.0 release
 2025-05-08 14:14:35 -04:00
Kevin Dangoor
0e9e935cc8 Version 4.7.0 release 
Also add a note about the new `LicenseRef-clearlydefined-OTHER`
to the README.
 2025-05-08 13:58:56 -04:00
Kevin Dangoor
69d2faa365 Merge pull request #926 from dangoor/dangoor/replace-other 
Replace OTHER with a LicenseRef
 2025-05-07 13:25:04 -04:00
Kevin Dangoor
7e14978e0e Merge branch 'actions:main' into dangoor/replace-other 2025-05-07 13:08:00 -04:00
Kevin Dangoor
8477905b0e Merge pull request #927 from dangoor/dangoor/multilicense 
Handle complex licenses (e.g. X AND Y)
 2025-05-07 13:06:06 -04:00
Kevin Dangoor
f3ff3564fa Update dist 2025-05-06 12:26:28 -04:00
Kevin Dangoor
c7565d44ec Fix tests and respond to review feedback 2025-05-06 12:25:30 -04:00
Kevin Dangoor
82299c3bbe Replace OTHER with a LicenseRef 
ClearlyDefined uses the string `OTHER` for the declared license when
a human has reviewed `NOASSERTION` text and found it to be a valid
license, but one without an SPDX identifier. `OTHER`, unlike
`NOASSERTION`, is not valid. With this change, when `OTHER` appears
in a license string, we'll replace it with
`LicenseRef-clearlydefined-OTHER`, which _is_ valid and will allow
the expressions to parse.
 2025-05-06 11:22:50 -04:00
Kevin Dangoor
2013ccccfe Update type definition for spdx-satisfies 
I have a PR in with DefinitelyTyped, but this change should allow CI
to pass while that goes through the process.
 2025-05-06 11:02:54 -04:00
Kevin Dangoor
3a2b68706a Handle complex licenses (e.g. X AND Y) 
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
 2025-05-05 19:06:50 -04:00
Kevin Dangoor
a87294d992 Revert "Merge pull request #916 from jebeaudet/spdx-support" 
This reverts commit 5a5d4df8ad, reversing
changes made to 67d4f4bd7a.
 2025-05-05 18:43:46 -04:00
Ashely Tenesaca
5a5d4df8ad Merge pull request #916 from jebeaudet/spdx-support 
Support SPDX expressions with operators in allow/deny license lists
 2025-04-15 11:33:49 -04:00
Jacques-Etienne Beaudet
4eb8182aba Support SPDX expressions in allow/deny lists 
This change updates license validation to support full SPDX expressions
(such as 'EPL-1.0 AND LGPL-2.1') in both allow-lists and deny-lists. This
enables the action to correctly validate packages that declare multiple
licenses using SPDX conjunctions like AND/OR, which are common in complex
open-source projects.

Previously, only simple license identifiers were supported, which caused
multi-licensed packages to be improperly flagged as invalid even when
they matched the intent of the allow-list.

The new logic uses `spdx.satisfies()` to evaluate whether a package’s
declared license satisfies any expression in the allow/deny list, and
comprehensive tests have been added to verify behavior for various SPDX
combinations.

This improves compatibility with projects using compound SPDX license
expressions and ensures more accurate license policy enforcement.
 2025-04-09 12:19:46 -04:00
Barry Gordon
67d4f4bd7a Merge pull request #911 from actions/brrygrdn/handle-spdx-updates-as-priority 
Handle any SPDX dependencies as a priority Dependabot PR
 2025-04-04 13:00:44 +01:00
Barry Gordon
d2e453a37e Handle any SPDX dependencies as a priority PR 2025-04-01 13:52:16 +01:00
Barry Gordon
ce3cf9537a Merge pull request #910 from actions/brrygrdn/4.6.0-release-candidate 
Prepare 4.6.0 Release candidate
 2025-04-01 12:33:27 +01:00
Barry Gordon
479b69732e Prepare 4.6.0 2025-04-01 12:22:08 +01:00
Barry Gordon
aee95908ea Merge pull request #902 from Pantelis-Santorinios/patch-1 
Clarify comment-summary-in-pr behaviour
 2025-04-01 11:40:30 +01:00
Barry Gordon
080ada6281 Merge pull request #883 from fabasoad/fix/ci 
Improve usage of this action in dependency-review.yml
 2025-04-01 11:36:38 +01:00
Barry Gordon
430e5f0bbf Merge pull request #884 from fabasoad/fix/863 
To not print OpenSSF Scorecard section if no dependencies scanned
 2025-04-01 11:35:58 +01:00
Barry Gordon
51699b6461 Merge pull request #855 from ailox/ailox/fix/invalid-new-licenses 
Update transitive dependency spdx-license-ids
 2025-04-01 11:33:12 +01:00
Roman Iakovlev
ac9b193beb Merge pull request #899 from actions/dependabot/npm_and_yarn/octokit/plugin-paginate-rest-9.2.2 
Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2
 2025-03-13 15:37:55 +01:00
Roman Iakovlev
d630451aa0 Pin @octokit/types version for compatibility 2025-03-13 14:34:23 +00:00
Roman Iakovlev
c8dafca32b Add dist for @octokit/plugin-paginate-rest version bump 2025-03-12 16:55:30 +00:00
dependabot[bot]
bc858b5649 Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 
Bumps [@octokit/plugin-paginate-rest](https://github.com/octokit/plugin-paginate-rest.js) from 9.1.5 to 9.2.2.
- [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases)
- [Commits](https://github.com/octokit/plugin-paginate-rest.js/compare/v9.1.5...v9.2.2)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-paginate-rest"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-03-12 16:53:26 +00:00
Roman Iakovlev
cd1541ea8d Merge pull request #905 from actions/dependabot/npm_and_yarn/babel/helpers-7.26.10 
Bump @babel/helpers from 7.23.2 to 7.26.10
 2025-03-12 15:43:04 +01:00
dependabot[bot]
7bce095f93 Bump @babel/helpers from 7.23.2 to 7.26.10 
Bumps [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) from 7.23.2 to 7.26.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-helpers)

---
updated-dependencies:
- dependency-name: "@babel/helpers"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-03-12 11:42:46 +00:00
Roman Iakovlev
195b0c2e88 Merge pull request #904 from actions/roman/upd 
Bump octokit and related dependencies
 2025-03-12 12:41:41 +01:00
Roman Iakovlev
cdee0bc8c3 Bump octokit and related dependencies 2025-03-12 10:57:15 +00:00
Lewis Jones
0e562a634b Merge pull request #900 from actions/dependabot/npm_and_yarn/esbuild-0.25.0 
Bump esbuild from 0.19.5 to 0.25.0
 2025-03-07 11:49:50 +00:00
Pantelis
3d00aed36d Update README.md 2025-03-06 14:43:51 +01:00
dependabot[bot]
2c5ec1eea8 Bump esbuild from 0.19.5 to 0.25.0 
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.19.5 to 0.25.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.19.5...v0.25.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-26 20:54:18 +00:00
Eric Sorenson
bf0431a342 Merge pull request #893 from omahs/patch-1 
Fix typos
 2025-02-07 14:27:22 -08:00
omahs
c26b132baa fix typos 2025-02-07 13:22:20 +01:00