668 Commits

Author SHA1 Message Date
Eric Sorenson d02fa39f79 Updates for release 4.9.0
- Bumps dependencies to fix vulnerabilities, supersedes dependabot PRs
- New version in package.json
- Slight correction to the release process in CONTRIBUTING.md
- Rebuilds dist/ packaged files

Closes #1062 #1063 #1028 #972 #971 #970
2026-03-02 16:15:13 -08:00
Chad Bentz e404798400 Merge upstream actions/dependency-review-action main
Syncs fork with upstream, resolving conflicts in package.json
(keeping semver + upgrading spdx-expression-parse to ^4.0.0),
regenerating package-lock.json and dist/ folder.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-27 14:04:27 -05:00
Eric Sorenson 58be34364d Updating package versions for 4.8.3 2026-02-18 21:45:59 -08:00
dependabot[bot] 8b766562f0 Bump spdx-expression-parse in the spdx-licenses group across 1 directory
Bumps the spdx-licenses group with 1 update in the / directory: [spdx-expression-parse](https://github.com/jslicense/spdx-expression-parse.js).


Updates `spdx-expression-parse` from 3.0.1 to 4.0.0
- [Commits](https://github.com/jslicense/spdx-expression-parse.js/compare/v3.0.1...v4.0.0)

---
updated-dependencies:
- dependency-name: spdx-expression-parse
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: spdx-licenses
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-19 05:22:14 +00:00
Copilot ee66ea100d Implement review fixes: semver library, scoping, case-insensitive matching, error logging, and configurable fail behavior (#7)
* Initial plan

* Implement PR review comment fixes: semver library, error handling, case-insensitive matching, and rows scoping

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix formatting and rebuild dist folder

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix fail-closed logic and remove redundant @types/semver

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Apply review feedback: fix empty range handling, add trimming, implement range check caching

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Apply review feedback: align fail-closed behavior for empty version, fix TypeScript typing, normalize cache keys

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix linter errors, optimize cache keys, and improve trimming logic

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Add fail-open option for patch selection and optimize with preTrimmed flag

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Enforce fail-closed with explicit validation, fix debug messages, normalize cache keys

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix unreachable ternary in debug message and eliminate duplicate trim operation

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Normalize eco comparison and add preNormalized option to avoid duplicate range conversion

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Remove unnecessary cache, fix function signature, and correct semver comment

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Make includePrerelease conditional based on version type to preserve range semantics

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Improve debug message to report both invalid version and range when applicable

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Convert to JSDoc, add explicit type annotation, and remove redundant initializer

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
2026-02-08 16:05:04 -05:00
ahmed3lmallah d45151f498 Addressing vulnerabilities 2026-01-05 15:39:34 -08:00
dependabot[bot] 14edcb1b2a Bump js-yaml
Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 3.14.2 and updates ancestor dependency . These dependencies need to be updated together.


Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-17 22:03:38 +00:00
Kevin Dangoor 70cb25ec56 4.8.2 release 2025-11-10 14:44:24 -05:00
Dan Hardej 5fd2f98b4f Bump @types/jest to version 29.5.14 2025-11-07 12:39:28 +08:00
Eric Sorenson 45529485b5 Bump version for 4.8.1 release 2025-10-10 12:55:32 -07:00
Barry Gordon 1688b745f3 Bump to a 4.8.0 2025-09-26 15:45:28 +01:00
Barry Gordon eacde7836e Update version 2025-09-26 14:42:22 +01:00
Matt Mencel e0cedc52dc feat: add large summary handling with artifact upload
When the dependency review summary exceeds GitHub's size limit (1024k), upload it as an artifact and provide a link in the comment. This ensures users can still access the full review details even when the summary is too large to display directly.
2025-09-26 12:55:14 +01:00
Claire Song 595b5aeba7 Update package version (#975) 2025-08-26 13:00:34 -07:00
Claire Song bc41886e18 Cut 4.7.2 version release (#964)
* Cut 4.7.2 version release

* Bump dependency minor versions
2025-08-18 11:17:54 -07:00
dependabot[bot] fac3d41a58 Bump the minor-updates group across 1 directory with 5 updates (#956)
Bumps the minor-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.0` | `29.4.1` |
| [yaml](https://github.com/eemeli/yaml) | `2.8.0` | `2.8.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.7` | `20.19.10` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.1` | `5.5.4` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.2` |



Updates `ts-jest` from 29.4.0 to 29.4.1
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.4.0...v29.4.1)

Updates `yaml` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.8.0...v2.8.1)

Updates `@types/node` from 20.19.7 to 20.19.10
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.5.1 to 5.5.4
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.5.1...v5.5.4)

Updates `typescript` from 5.8.3 to 5.9.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.8.3...v5.9.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-version: 29.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-08-18 10:31:31 -07:00
Claire Song e85d57a50e Remove test code 2025-08-15 16:15:02 +00:00
Claire Song 3eb62794c5 Re-add test package. Only show warning in summary if option is used. Update copy. 2025-08-15 15:49:35 +00:00
Claire Song 493bee0560 Remove test package 2025-08-14 17:46:53 +00:00
Claire Song 9ca24b6906 Add new package 2025-08-13 21:22:20 +00:00
dependabot[bot] 87052cdc7b Bump the minor-updates group across 1 directory with 10 updates
Bumps the minor-updates group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.10.1` | `1.11.1` |
| [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `6.0.0` | `6.0.1` |
| [got](https://github.com/sindresorhus/got) | `14.4.5` | `14.4.7` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.2.5` | `29.4.0` |
| [yaml](https://github.com/eemeli/yaml) | `2.3.4` | `2.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.16.0` | `20.19.7` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.1.3` | `5.5.1` |
| [nodemon](https://github.com/remy/nodemon) | `3.1.9` | `3.1.10` |
| [prettier](https://github.com/prettier/prettier) | `3.2.5` | `3.6.2` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.4.5` | `5.8.3` |



Updates `@actions/core` from 1.10.1 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/github` from 6.0.0 to 6.0.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

Updates `got` from 14.4.5 to 14.4.7
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.5...v14.4.7)

Updates `ts-jest` from 29.2.5 to 29.4.0
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.2.5...v29.4.0)

Updates `yaml` from 2.3.4 to 2.8.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.4...v2.8.0)

Updates `@types/node` from 20.16.0 to 20.19.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.1.3 to 5.5.1
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.3...v5.5.1)

Updates `nodemon` from 3.1.9 to 3.1.10
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.9...v3.1.10)

Updates `prettier` from 3.2.5 to 3.6.2
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.5...3.6.2)

Updates `typescript` from 5.4.5 to 5.8.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.4.5...v5.8.3)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@actions/github"
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: got
  dependency-version: 14.4.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: ts-jest
  dependency-version: 29.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: nodemon
  dependency-version: 3.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: prettier
  dependency-version: 3.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.8.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-22 13:56:08 +00:00
Kevin Dangoor 9af0caf0e5 Bump version number for 4.7.1 2025-05-13 11:20:20 -04:00
Kevin Dangoor 0e9e935cc8 Version 4.7.0 release
Also add a note about the new `LicenseRef-clearlydefined-OTHER`
to the README.
2025-05-08 13:58:56 -04:00
Kevin Dangoor 2013ccccfe Update type definition for spdx-satisfies
I have a PR in with DefinitelyTyped, but this change should allow CI
to pass while that goes through the process.
2025-05-06 11:02:54 -04:00
Kevin Dangoor 3a2b68706a Handle complex licenses (e.g. X AND Y)
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
2025-05-05 19:06:50 -04:00
Barry Gordon 479b69732e Prepare 4.6.0 2025-04-01 12:22:08 +01:00
Roman Iakovlev d630451aa0 Pin @octokit/types version for compatibility 2025-03-13 14:34:23 +00:00
Roman Iakovlev cdee0bc8c3 Bump octokit and related dependencies 2025-03-12 10:57:15 +00:00
Ahmed ElMallah ef281d4e24 Updating multiple dependency versions 2025-01-23 21:07:39 +00:00
Ahmed ElMallah eee97d8b03 incrementing project version 2024-11-20 21:41:43 +00:00
Ahmed ElMallah 9192be9c72 Merge pull request #850 from actions/ahmed3lmallah/adressing-CVE-2024-21538
Overriding the cross-spawn dependency to use a safe version
2024-11-19 14:42:32 -08:00
Ahmed ElMallah 2fc8e23b12 Using cross-spawn safe version 2024-11-19 22:26:34 +00:00
Ahmed ElMallah b02ea3a88b Merge pull request #849 from actions/dependabot/npm_and_yarn/vercel/ncc-0.38.3
Bump @vercel/ncc from 0.38.1 to 0.38.3
2024-11-18 15:14:46 -08:00
dependabot[bot] 591cbf9044 Bump @vercel/ncc from 0.38.1 to 0.38.3
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.38.1 to 0.38.3.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.38.1...0.38.3)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-18 01:28:26 +00:00
dependabot[bot] c0a5e20c51 Bump nodemon from 3.1.0 to 3.1.7
Bumps [nodemon](https://github.com/remy/nodemon) from 3.1.0 to 3.1.7.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.0...v3.1.7)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-04 01:59:13 +00:00
dependabot[bot] d8ae44e2a0 Bump got from 14.4.2 to 14.4.3
Bumps [got](https://github.com/sindresorhus/got) from 14.4.2 to 14.4.3.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.2...v14.4.3)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-28 01:10:40 +00:00
ahmed3lmallah d92f08b3ff Bump eslint-plugin-jest and ts-jest 2024-10-21 15:16:32 -07:00
dependabot[bot] fe833075f3 Bump got from 14.4.1 to 14.4.2
Bumps [got](https://github.com/sindresorhus/got) from 14.4.1 to 14.4.2.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.1...v14.4.2)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-08-26 01:38:54 +00:00
Justin Holguín d9ab9c8c45 Update version in package.json 2024-07-11 18:57:29 +00:00
dependabot[bot] 08b5bf2921 Bump zod from 3.22.4 to 3.23.8
Bumps [zod](https://github.com/colinhacks/zod) from 3.22.4 to 3.23.8.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.22.4...v3.23.8)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-07-10 17:43:18 +00:00
Justin Holguín 986fce9040 Merge pull request #784 from actions/dependabot/npm_and_yarn/got-14.4.1
Bump got from 14.2.0 to 14.4.1
2024-07-10 10:41:24 -07:00
Eli Reisman bc5b235cf6 move jest to dev dependencies 2024-06-10 09:51:00 -07:00
Eli Reisman 154c1500f3 add @onebeyond/spdx-license-satisfies to DR Action project 2024-06-10 09:51:00 -07:00
dependabot[bot] 2115d9eeea Bump got from 14.2.0 to 14.4.1
Bumps [got](https://github.com/sindresorhus/got) from 14.2.0 to 14.4.1.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.2.0...v14.4.1)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-06-10 01:18:26 +00:00
Eli Reisman 137d8b42ce bump to version v4.3.3 2024-06-05 10:26:55 -07:00
Justin Holguín d0d5cc3ec4 Update version number to 4.3.2 2024-04-30 16:30:51 +00:00
Justin Holguín 9b7c72ddcd Change version to 4.3.1 2024-04-29 17:45:21 +00:00
Justin Holguín 640617990f Replace packageurl-js with our own implementation 2024-04-27 21:26:06 +00:00
Justin Holguín 95b6fa4e6b Update version to 4.3.0 2024-04-25 22:41:44 +00:00
Justin Holguín f456418f6a Merge pull request #737 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.10.2
Bump eslint-plugin-github from 4.10.1 to 4.10.2
2024-04-24 14:59:31 -07:00