actions/dependency-review-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,824 Commits 1 Branch 0 Tags
2bedf4a221c94de43894e690e432b09913640d67
Commit Graph

674 Commits

Author SHA1 Message Date
dependabot[bot]
87052cdc7b Bump the minor-updates group across 1 directory with 10 updates 
Bumps the minor-updates group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.10.1` | `1.11.1` |
| [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `6.0.0` | `6.0.1` |
| [got](https://github.com/sindresorhus/got) | `14.4.5` | `14.4.7` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.2.5` | `29.4.0` |
| [yaml](https://github.com/eemeli/yaml) | `2.3.4` | `2.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.16.0` | `20.19.7` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.1.3` | `5.5.1` |
| [nodemon](https://github.com/remy/nodemon) | `3.1.9` | `3.1.10` |
| [prettier](https://github.com/prettier/prettier) | `3.2.5` | `3.6.2` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.4.5` | `5.8.3` |



Updates `@actions/core` from 1.10.1 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/github` from 6.0.0 to 6.0.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

Updates `got` from 14.4.5 to 14.4.7
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.5...v14.4.7)

Updates `ts-jest` from 29.2.5 to 29.4.0
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.2.5...v29.4.0)

Updates `yaml` from 2.3.4 to 2.8.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.4...v2.8.0)

Updates `@types/node` from 20.16.0 to 20.19.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.1.3 to 5.5.1
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.3...v5.5.1)

Updates `nodemon` from 3.1.9 to 3.1.10
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.9...v3.1.10)

Updates `prettier` from 3.2.5 to 3.6.2
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.5...3.6.2)

Updates `typescript` from 5.4.5 to 5.8.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.4.5...v5.8.3)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@actions/github"
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: got
  dependency-version: 14.4.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: ts-jest
  dependency-version: 29.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: nodemon
  dependency-version: 3.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: prettier
  dependency-version: 3.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.8.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-22 13:56:08 +00:00
dependabot[bot]
733ef0ab01 Bump undici from 5.28.5 to 5.29.0 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-15 16:32:05 +00:00
Kevin Dangoor
9af0caf0e5 Bump version number for 4.7.1 2025-05-13 11:20:20 -04:00
Kevin Dangoor
0e9e935cc8 Version 4.7.0 release 
Also add a note about the new `LicenseRef-clearlydefined-OTHER`
to the README.
 2025-05-08 13:58:56 -04:00
Kevin Dangoor
2013ccccfe Update type definition for spdx-satisfies 
I have a PR in with DefinitelyTyped, but this change should allow CI
to pass while that goes through the process.
 2025-05-06 11:02:54 -04:00
Kevin Dangoor
3a2b68706a Handle complex licenses (e.g. X AND Y) 
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
 2025-05-05 19:06:50 -04:00
Barry Gordon
479b69732e Prepare 4.6.0 2025-04-01 12:22:08 +01:00
Barry Gordon
51699b6461 Merge pull request #855 from ailox/ailox/fix/invalid-new-licenses 
Update transitive dependency spdx-license-ids
 2025-04-01 11:33:12 +01:00
Roman Iakovlev
d630451aa0 Pin @octokit/types version for compatibility 2025-03-13 14:34:23 +00:00
dependabot[bot]
bc858b5649 Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 
Bumps [@octokit/plugin-paginate-rest](https://github.com/octokit/plugin-paginate-rest.js) from 9.1.5 to 9.2.2.
- [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases)
- [Commits](https://github.com/octokit/plugin-paginate-rest.js/compare/v9.1.5...v9.2.2)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-paginate-rest"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-03-12 16:53:26 +00:00
dependabot[bot]
7bce095f93 Bump @babel/helpers from 7.23.2 to 7.26.10 
Bumps [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) from 7.23.2 to 7.26.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-helpers)

---
updated-dependencies:
- dependency-name: "@babel/helpers"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-03-12 11:42:46 +00:00
Roman Iakovlev
cdee0bc8c3 Bump octokit and related dependencies 2025-03-12 10:57:15 +00:00
dependabot[bot]
2c5ec1eea8 Bump esbuild from 0.19.5 to 0.25.0 
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.19.5 to 0.25.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.19.5...v0.25.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-26 20:54:18 +00:00
dependabot[bot]
6ec8e13b9a Bump undici from 5.28.4 to 5.28.5 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.4 to 5.28.5.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-24 17:39:09 +00:00
Ahmed ElMallah
ef281d4e24 Updating multiple dependency versions 2025-01-23 21:07:39 +00:00
Paul Scheunemann
2caab057ed Update transitive dependency spdx-license-ids 2024-12-06 16:36:10 +01:00
Ahmed ElMallah
eee97d8b03 incrementing project version 2024-11-20 21:41:43 +00:00
Ahmed ElMallah
9192be9c72 Merge pull request #850 from actions/ahmed3lmallah/adressing-CVE-2024-21538 
Overriding the cross-spawn dependency to use a safe version
 2024-11-19 14:42:32 -08:00
Ahmed ElMallah
2fc8e23b12 Using cross-spawn safe version 2024-11-19 22:26:34 +00:00
Ahmed ElMallah
b02ea3a88b Merge pull request #849 from actions/dependabot/npm_and_yarn/vercel/ncc-0.38.3 
Bump @vercel/ncc from 0.38.1 to 0.38.3
 2024-11-18 15:14:46 -08:00
dependabot[bot]
591cbf9044 Bump @vercel/ncc from 0.38.1 to 0.38.3 
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.38.1 to 0.38.3.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.38.1...0.38.3)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-18 01:28:26 +00:00
dependabot[bot]
c0a5e20c51 Bump nodemon from 3.1.0 to 3.1.7 
Bumps [nodemon](https://github.com/remy/nodemon) from 3.1.0 to 3.1.7.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.0...v3.1.7)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-04 01:59:13 +00:00
dependabot[bot]
d8ae44e2a0 Bump got from 14.4.2 to 14.4.3 
Bumps [got](https://github.com/sindresorhus/got) from 14.4.2 to 14.4.3.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.2...v14.4.3)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-28 01:10:40 +00:00
ahmed3lmallah
d92f08b3ff Bump eslint-plugin-jest and ts-jest 2024-10-21 15:16:32 -07:00
Barry Gordon
3e334b7ca7 Merge pull request #822 from actions/dependabot/npm_and_yarn/got-14.4.2 
Bump got from 14.4.1 to 14.4.2
 2024-09-30 16:17:18 +01:00
Eli Reisman
8179e6abd6 upgrade micromatch within given dependent parent pkg bounds but past security vuln 2024-09-16 09:53:44 -07:00
dependabot[bot]
fe833075f3 Bump got from 14.4.1 to 14.4.2 
Bumps [got](https://github.com/sindresorhus/got) from 14.4.1 to 14.4.2.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.1...v14.4.2)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-26 01:38:54 +00:00
dependabot[bot]
e5cb30f678 Bump @types/node from 20.11.28 to 20.16.0 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.28 to 20.16.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-19 01:33:46 +00:00
Justin Holguín
ac6a6adece Prepare even more for v4.3.4 2024-07-11 20:39:43 +00:00
dependabot[bot]
08b5bf2921 Bump zod from 3.22.4 to 3.23.8 
Bumps [zod](https://github.com/colinhacks/zod) from 3.22.4 to 3.23.8.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.22.4...v3.23.8)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-07-10 17:43:18 +00:00
Justin Holguín
986fce9040 Merge pull request #784 from actions/dependabot/npm_and_yarn/got-14.4.1 
Bump got from 14.2.0 to 14.4.1
 2024-07-10 10:41:24 -07:00
Justin Holguín
28743f8570 Merge pull request #719 from actions/change-spdx-parser 
Update SPDX Expression Parsing
 2024-07-10 10:06:31 -07:00
dependabot[bot]
465867cec8 Bump braces from 3.0.2 to 3.0.3 
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-07-08 21:49:13 +00:00
Eli Reisman
bc5b235cf6 move jest to dev dependencies 2024-06-10 09:51:00 -07:00
Eli Reisman
154c1500f3 add @onebeyond/spdx-license-satisfies to DR Action project 2024-06-10 09:51:00 -07:00
dependabot[bot]
2115d9eeea Bump got from 14.2.0 to 14.4.1 
Bumps [got](https://github.com/sindresorhus/got) from 14.2.0 to 14.4.1.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.2.0...v14.4.1)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-06-10 01:18:26 +00:00
dependabot[bot]
c0630c2a88 Bump undici from 5.28.3 to 5.28.4 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-06-06 18:28:02 +00:00
Eli Reisman
137d8b42ce bump to version v4.3.3 2024-06-05 10:26:55 -07:00
Justin Holguín
d0d5cc3ec4 Update version number to 4.3.2 2024-04-30 16:30:51 +00:00
Justin Holguín
9b7c72ddcd Change version to 4.3.1 2024-04-29 17:45:21 +00:00
Justin Holguín
640617990f Replace packageurl-js with our own implementation 2024-04-27 21:26:06 +00:00
Justin Holguín
5ab7b74146 Update package-lock.json 2024-04-26 17:11:46 +00:00
Justin Holguín
f456418f6a Merge pull request #737 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.10.2 
Bump eslint-plugin-github from 4.10.1 to 4.10.2
 2024-04-24 14:59:31 -07:00
dependabot[bot]
5498b6c4c3 Bump typescript from 5.3.3 to 5.4.5 
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.3.3 to 5.4.5.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.3.3...v5.4.5)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-24 21:39:33 +00:00
dependabot[bot]
72aedfc147 Bump eslint-plugin-github from 4.10.1 to 4.10.2 
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.10.1 to 4.10.2.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.10.1...v4.10.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-01 01:25:22 +00:00
Federico Builes
5bbc3ba658 bumping version 2024-03-26 08:04:16 +01:00
dependabot[bot]
21941b530b Bump eslint from 8.56.0 to 8.57.0 
Bumps [eslint](https://github.com/eslint/eslint) from 8.56.0 to 8.57.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.56.0...v8.57.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-03-25 01:27:32 +00:00
Federico Builes
733dd5d4a5 bumping to 4.2.4 2024-03-24 14:59:17 +01:00
Federico Builes
0fa40c3c10 bumping to 4.2.3. 2024-03-20 17:57:26 +01:00
Federico Builes
b751d41e7e Merge pull request #702 from actions/dependabot/npm_and_yarn/nodemon-3.1.0 
Bump nodemon from 3.0.3 to 3.1.0
 2024-03-20 06:48:20 +01:00