actions/dependency-review-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,846 Commits 1 Branch 0 Tags
ef00a0afbb540db022eb79fc3aea57b5603d7a47
Commit Graph

1846 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ashely Tenesaca
ef00a0afbb add permissions to workflows 2025-08-19 20:55:24 +00:00
Claire Song
bc41886e18 Cut 4.7.2 version release (#964) 
* Cut 4.7.2 version release

* Bump dependency minor versions
 2025-08-18 11:17:54 -07:00
Kevin Dangoor
1c73553e36 Merge pull request #960 from ahpook/ahpook/address-docs-dashes 
Address discrepancy between docs and reality
 2025-08-18 14:02:19 -04:00
dependabot[bot]
fac3d41a58 Bump the minor-updates group across 1 directory with 5 updates (#956) 
Bumps the minor-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.0` | `29.4.1` |
| [yaml](https://github.com/eemeli/yaml) | `2.8.0` | `2.8.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.7` | `20.19.10` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.1` | `5.5.4` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.2` |



Updates `ts-jest` from 29.4.0 to 29.4.1
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.4.0...v29.4.1)

Updates `yaml` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.8.0...v2.8.1)

Updates `@types/node` from 20.19.7 to 20.19.10
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.5.1 to 5.5.4
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.5.1...v5.5.4)

Updates `typescript` from 5.8.3 to 5.9.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.8.3...v5.9.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-version: 29.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-08-18 10:31:31 -07:00
Claire Song
d8073c4b76 Merge pull request #958 from actions/claire153/deprecate-deny-lists 
Deprecate deny lists
 2025-08-18 12:33:17 -04:00
Claire Song
77184c6339 Fix tests 2025-08-18 15:10:48 +00:00
Eric Sorenson
5558c35bb3 Address discrepancy between docs and reality 
The documentation used to say that you needed to transform keys
in external config files from using `-` to `_`, but in reality
the code transforms `-` to `_` regardless of where they occur.

See 4b4ec08f7b

Closes #909
 2025-08-15 17:16:55 -07:00
Claire Song
e85d57a50e Remove test code 2025-08-15 16:15:02 +00:00
Claire Song
3eb62794c5 Re-add test package. Only show warning in summary if option is used. Update copy. 2025-08-15 15:49:35 +00:00
Claire Song
7cf33ac2f2 Remove test deny list 2025-08-14 17:58:31 +00:00
Claire Song
493bee0560 Remove test package 2025-08-14 17:46:53 +00:00
Claire Song
659a1e1bd0 Update copy and styling 2025-08-14 17:44:34 +00:00
Claire Song
6e80be31cd Add one more line break 2025-08-14 16:39:53 +00:00
Claire Song
3fb5c613f0 Add one more line break 2025-08-14 16:32:20 +00:00
Claire Song
7d16ba5d7e Add one more line break 2025-08-14 15:43:03 +00:00
Claire Song
a92a9da9c8 Add one more line break 2025-08-14 15:39:37 +00:00
Claire Song
c1fa9df06b Build 2025-08-14 14:43:45 +00:00
Claire Song
6e2bbef080 Add deprecation warning, fix lint issues 2025-08-14 14:25:52 +00:00
Claire Song
9ca24b6906 Add new package 2025-08-13 21:22:20 +00:00
Claire Song
70e1d26338 Test deny list 2025-08-13 21:07:58 +00:00
Roman Iakovlev
89c7383074 Merge pull request #946 from actions/dependabot/npm_and_yarn/minor-updates-9b599382cb 
Bump the minor-updates group across 1 directory with 10 updates
 2025-07-22 16:15:34 +02:00
Roman Iakovlev
40f2ab01b7 Update dist 2025-07-22 14:06:49 +00:00
Roman Iakovlev
2bedf4a221 Update dist 2025-07-22 14:01:55 +00:00
dependabot[bot]
87052cdc7b Bump the minor-updates group across 1 directory with 10 updates 
Bumps the minor-updates group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.10.1` | `1.11.1` |
| [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `6.0.0` | `6.0.1` |
| [got](https://github.com/sindresorhus/got) | `14.4.5` | `14.4.7` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.2.5` | `29.4.0` |
| [yaml](https://github.com/eemeli/yaml) | `2.3.4` | `2.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.16.0` | `20.19.7` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.1.3` | `5.5.1` |
| [nodemon](https://github.com/remy/nodemon) | `3.1.9` | `3.1.10` |
| [prettier](https://github.com/prettier/prettier) | `3.2.5` | `3.6.2` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.4.5` | `5.8.3` |



Updates `@actions/core` from 1.10.1 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/github` from 6.0.0 to 6.0.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

Updates `got` from 14.4.5 to 14.4.7
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.5...v14.4.7)

Updates `ts-jest` from 29.2.5 to 29.4.0
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.2.5...v29.4.0)

Updates `yaml` from 2.3.4 to 2.8.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.4...v2.8.0)

Updates `@types/node` from 20.16.0 to 20.19.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.1.3 to 5.5.1
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.3...v5.5.1)

Updates `nodemon` from 3.1.9 to 3.1.10
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.9...v3.1.10)

Updates `prettier` from 3.2.5 to 3.6.2
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.5...3.6.2)

Updates `typescript` from 5.4.5 to 5.8.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.4.5...v5.8.3)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@actions/github"
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: got
  dependency-version: 14.4.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: ts-jest
  dependency-version: 29.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: nodemon
  dependency-version: 3.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: prettier
  dependency-version: 3.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.8.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-22 13:56:08 +00:00
Roman Iakovlev
47d790678f Merge pull request #934 from actions/dependabot/npm_and_yarn/undici-5.29.0 
Bump undici from 5.28.5 to 5.29.0
 2025-07-21 19:12:52 +02:00
Roman Iakovlev
1e946feb37 Update dist 2025-07-21 13:53:37 +00:00
Kevin Dangoor
8a1ad91c0a Merge pull request #945 from KyFaSt/patch-1 
Add Missing Languages to CodeQL Advanced Configuration
 2025-07-11 13:47:35 -04:00
Kylie Stradley
8296deda21 Add Missing Languages to CodeQL Advanced Configuration 2025-07-10 09:22:28 -04:00
dependabot[bot]
733ef0ab01 Bump undici from 5.28.5 to 5.29.0 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-15 16:32:05 +00:00
Kevin Dangoor
da24556b54 Merge pull request #933 from actions/dangoor/471-release 
Bump version number for 4.7.1
 2025-05-13 12:46:37 -04:00
Kevin Dangoor
9af0caf0e5 Bump version number for 4.7.1 2025-05-13 11:20:20 -04:00
Kevin Dangoor
d8f2df20d5 Merge pull request #932 from actions/907-disallow-expression 
Discard allow list entries that are not SPDX IDs
 2025-05-13 10:28:49 -04:00
Kevin Dangoor
6e9307a3d4 Discard allow list entries that are not SPDX IDs 
The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907
 2025-05-12 18:58:58 -04:00
Kevin Dangoor
8805179dc9 Merge pull request #930 from actions/889-allow-no-license 
Allowing dependencies works with no licenses
 2025-05-08 17:38:03 -04:00
Kevin Dangoor
014300b08c Update build 2025-05-08 17:19:56 -04:00
Kevin Dangoor
34486f306e Check namespaces when excluding license checks 
The `allow-dependencies-licenses` option was not checking the namespace
part of the PURL to make sure it matched.
 2025-05-08 17:17:08 -04:00
Kevin Dangoor
9b155d6432 Update build 2025-05-08 16:37:11 -04:00
Kevin Dangoor
f199659a6a Allowing dependencies works with no licenses 
When using the `allow-dependencies-licenses` option, the packages listed
there should be allowed even if they have no license. This wasn't
working because the filtering for allowed dependencies was done
specifically on the list of packages that had licenses, leaving a
separate list (unfiltered) for packages with no licenses. With this
change, we filter out any changes for packages that have been allowed
_before_ we retrieve licenses.

Fixes #889
 2025-05-08 16:31:46 -04:00
Kevin Dangoor
38ecb5b593 Merge pull request #929 from actions/dangoor/4.7-release 
Version 4.7.0 release
 2025-05-08 14:14:35 -04:00
Kevin Dangoor
0e9e935cc8 Version 4.7.0 release 
Also add a note about the new `LicenseRef-clearlydefined-OTHER`
to the README.
 2025-05-08 13:58:56 -04:00
Kevin Dangoor
69d2faa365 Merge pull request #926 from dangoor/dangoor/replace-other 
Replace OTHER with a LicenseRef
 2025-05-07 13:25:04 -04:00
Kevin Dangoor
7e14978e0e Merge branch 'actions:main' into dangoor/replace-other 2025-05-07 13:08:00 -04:00
Kevin Dangoor
8477905b0e Merge pull request #927 from dangoor/dangoor/multilicense 
Handle complex licenses (e.g. X AND Y)
 2025-05-07 13:06:06 -04:00
Kevin Dangoor
f3ff3564fa Update dist 2025-05-06 12:26:28 -04:00
Kevin Dangoor
c7565d44ec Fix tests and respond to review feedback 2025-05-06 12:25:30 -04:00
Kevin Dangoor
82299c3bbe Replace OTHER with a LicenseRef 
ClearlyDefined uses the string `OTHER` for the declared license when
a human has reviewed `NOASSERTION` text and found it to be a valid
license, but one without an SPDX identifier. `OTHER`, unlike
`NOASSERTION`, is not valid. With this change, when `OTHER` appears
in a license string, we'll replace it with
`LicenseRef-clearlydefined-OTHER`, which _is_ valid and will allow
the expressions to parse.
 2025-05-06 11:22:50 -04:00
Kevin Dangoor
2013ccccfe Update type definition for spdx-satisfies 
I have a PR in with DefinitelyTyped, but this change should allow CI
to pass while that goes through the process.
 2025-05-06 11:02:54 -04:00
Kevin Dangoor
3a2b68706a Handle complex licenses (e.g. X AND Y) 
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
 2025-05-05 19:06:50 -04:00
Kevin Dangoor
a87294d992 Revert "Merge pull request #916 from jebeaudet/spdx-support" 
This reverts commit 5a5d4df8ad, reversing
changes made to 67d4f4bd7a.
 2025-05-05 18:43:46 -04:00
Ashely Tenesaca
5a5d4df8ad Merge pull request #916 from jebeaudet/spdx-support 
Support SPDX expressions with operators in allow/deny license lists
 2025-04-15 11:33:49 -04:00