Eric Sorenson
2031cfc080
Merge pull request #1064 from actions/ahpook/release-4.9.0
...
Updates for release 4.9.0
v4.9.0
2026-03-03 14:08:16 -08:00
Eric Sorenson
d02fa39f79
Updates for release 4.9.0
...
- Bumps dependencies to fix vulnerabilities, supersedes dependabot PRs
- New version in package.json
- Slight correction to the release process in CONTRIBUTING.md
- Rebuilds dist/ packaged files
Closes #1062 #1063 #1028 #972 #971 #970
2026-03-02 16:15:13 -08:00
Eric Sorenson
4038a34c4b
Merge pull request #1021 from actions/dependabot/github_actions/actions/checkout-6
...
Bump actions/checkout from 4 to 6
2026-03-02 16:00:21 -08:00
Eric Sorenson
a632b8386b
Merge pull request #1058 from actions/dependabot/github_actions/actions/stale-10.2.0
...
Bump actions/stale from 10.1.0 to 10.2.0
2026-03-02 15:59:31 -08:00
Eric Sorenson
57a3d46a7b
Merge pull request #1060 from jantiebot/main
...
fix: only get scorecard levels if user wants to see the OpenSSF scorecard
2026-02-27 15:05:18 -08:00
Eric Sorenson
5ecdc4b578
Merge pull request #1045 from forks-felickz/main
...
Feat: Add `Patched Version` to `Vulnerabilities` summary
2026-02-27 15:03:52 -08:00
Chad Bentz
e8c2f9a12c
fix: remove inferrable type annotation to pass eslint
2026-02-27 22:58:04 +00:00
Chad Bentz
0e129e113c
Prettier - Refactor summary table rendering for improved readability
2026-02-27 22:30:03 +00:00
Chad Bentz
aa60746a92
Add 'show-patched-versions' option to configuration and update summary handling
...
- Introduced 'show-patched-versions' input in action.yml to control visibility of patched versions in vulnerability summaries.
- Updated default configuration and related functions to handle the new option.
- Enhanced tests to verify behavior with and without the patched version column.
2026-02-27 14:58:54 -05:00
Chad Bentz
e404798400
Merge upstream actions/dependency-review-action main
...
Syncs fork with upstream, resolving conflicts in package.json
(keeping semver + upgrading spdx-expression-parse to ^4.0.0),
regenerating package-lock.json and dist/ folder.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com >
2026-02-27 14:04:27 -05:00
jantiebot
24398f008e
chore: revert dist changes
2026-02-27 12:41:22 +01:00
jantiebot
7863651912
fix: only get scorecard levels if user wants to see the OpenSSF scorecard
2026-02-26 18:16:44 +01:00
dependabot[bot]
17d14c08d9
Bump actions/stale from 10.1.0 to 10.2.0
...
Bumps [actions/stale](https://github.com/actions/stale ) from 10.1.0 to 10.2.0.
- [Release notes](https://github.com/actions/stale/releases )
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/stale/compare/v10.1.0...v10.2.0 )
---
updated-dependencies:
- dependency-name: actions/stale
dependency-version: 10.2.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-02-23 01:42:33 +00:00
Justin Holguín
dea54b4342
Merge pull request #1057 from actions/juxtin/case-sensitivity
...
Make purl comparisons case insensitive
2026-02-20 14:09:58 -08:00
Justin Holguín
8cf743c0ea
Make purl comparisons case insensitive
2026-02-20 22:01:04 +00:00
Justin Holguín
b49f407d39
Merge pull request #1056 from actions/juxtin/fix-exclusion-match
...
Compare normalized purls to account for encoding quirks
2026-02-20 10:27:39 -08:00
Justin Holguín
f68b94a696
Merge remote-tracking branch 'origin/main' into juxtin/fix-exclusion-match
2026-02-20 16:33:25 +00:00
Eric Sorenson
05fe457637
Merge pull request #1054 from actions/ahpook/release-4.8.3
...
Changes for Release 4.8.3
v4.8.3
2026-02-19 17:25:10 -08:00
Justin Holguín
2ced98cbe8
Compare normalized purls to account for encoding quirks
2026-02-20 00:02:42 +00:00
Eric Sorenson
3a8496cb71
Update generated package files for v4.8.3
2026-02-18 21:56:46 -08:00
Eric Sorenson
0f22a01592
Update CONTRIBUTING for new release process
...
Fixes some newline damage, grammatical errors, and includes new instructions for pushing a major version branch instead of force-pushing a tag.
2026-02-18 21:54:45 -08:00
Eric Sorenson
58be34364d
Updating package versions for 4.8.3
2026-02-18 21:45:59 -08:00
Eric Sorenson
9284e0c621
Merge pull request #931 from actions/dependabot/npm_and_yarn/spdx-licenses-208b55449f
...
Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory
2026-02-18 21:31:42 -08:00
dependabot[bot]
8b766562f0
Bump spdx-expression-parse in the spdx-licenses group across 1 directory
...
Bumps the spdx-licenses group with 1 update in the / directory: [spdx-expression-parse](https://github.com/jslicense/spdx-expression-parse.js ).
Updates `spdx-expression-parse` from 3.0.1 to 4.0.0
- [Commits](https://github.com/jslicense/spdx-expression-parse.js/compare/v3.0.1...v4.0.0 )
---
updated-dependencies:
- dependency-name: spdx-expression-parse
dependency-version: 4.0.0
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: spdx-licenses
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-02-19 05:22:14 +00:00
Eric Sorenson
43f5f029f5
Merge pull request #1052 from actions/juxtin/fix-long-summaries
...
Properly truncate long summaries and catch errors
2026-02-18 21:18:45 -08:00
Eric Sorenson
f0033fc4d6
Merge pull request #1053 from actions/dependabot/npm_and_yarn/fast-xml-parser-5.3.6
...
Bump fast-xml-parser from 5.3.5 to 5.3.6
2026-02-18 08:49:06 -08:00
Copilot
a6c34d8785
Address review feedback: deterministic tests, cached normalization, simplified promisePool ( #9 )
...
* Initial plan
* Apply PR review comments: deterministic delays, cached normalization, simplified promisePool
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Improve comment clarity for ecoLower field
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com >
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
2026-02-18 06:33:39 -05:00
dependabot[bot]
b379e2e05f
Bump fast-xml-parser from 5.3.5 to 5.3.6
...
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser ) from 5.3.5 to 5.3.6.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases )
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md )
- [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.5...v5.3.6 )
---
updated-dependencies:
- dependency-name: fast-xml-parser
dependency-version: 5.3.6
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-02-18 05:07:50 +00:00
Justin Holguín
2e1cf54a50
Properly truncate long summaries and catch errors
2026-02-17 22:46:59 +00:00
Lewis Jones
68e9887ce6
Merge pull request #1050 from actions/dependabot/npm_and_yarn/fast-xml-parser-5.3.5
...
Bump fast-xml-parser from 5.3.3 to 5.3.5
2026-02-17 15:10:48 +00:00
dependabot[bot]
a7c7f3b9b1
Bump fast-xml-parser from 5.3.3 to 5.3.5
...
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser ) from 5.3.3 to 5.3.5.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases )
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md )
- [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.3...v5.3.5 )
---
updated-dependencies:
- dependency-name: fast-xml-parser
dependency-version: 5.3.5
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-02-11 19:21:05 +00:00
Copilot
539c79be65
Implement review feedback: concurrency limiting, semver coercion, logging improvements, and test coverage ( #8 )
...
* Initial plan
* Implement PR review comments: concurrency limiting, semver coerce, improved logging, test fixes
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Fix promise pool race condition and remove .then() usage
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Add tests for semver coercion and promise pool concurrency, simplify Map to Set
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com >
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
2026-02-09 14:28:09 -05:00
Copilot
ee66ea100d
Implement review fixes: semver library, scoping, case-insensitive matching, error logging, and configurable fail behavior ( #7 )
...
* Initial plan
* Implement PR review comment fixes: semver library, error handling, case-insensitive matching, and rows scoping
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Fix formatting and rebuild dist folder
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Fix fail-closed logic and remove redundant @types/semver
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Apply review feedback: fix empty range handling, add trimming, implement range check caching
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Apply review feedback: align fail-closed behavior for empty version, fix TypeScript typing, normalize cache keys
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Fix linter errors, optimize cache keys, and improve trimming logic
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Add fail-open option for patch selection and optimize with preTrimmed flag
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Enforce fail-closed with explicit validation, fix debug messages, normalize cache keys
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Fix unreachable ternary in debug message and eliminate duplicate trim operation
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Normalize eco comparison and add preNormalized option to avoid duplicate range conversion
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Remove unnecessary cache, fix function signature, and correct semver comment
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Make includePrerelease conditional based on version type to preserve range semantics
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Improve debug message to report both invalid version and range when applicable
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Convert to JSDoc, add explicit type annotation, and remove redundant initializer
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com >
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
2026-02-08 16:05:04 -05:00
Copilot
2af9bac14d
Add patched version column to vulnerability summary with multi-range support ( #5 )
...
* Initial plan
* Initial plan for adding patched versions to vulnerability summary
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Add patched version column to vulnerability summary table
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Optimize API calls to use Set and Promise.all for better performance
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Remove type assertions and optimize ecosystem lookups with normalization
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Extract patch version type checking into helper function for clarity
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Support multiple version ranges per package in advisory lookup
Handle scenarios where the same package has multiple vulnerable version ranges
with different patched versions (e.g., GHSA-gwq6-fmvp-qp68 with .NET packages).
- Store all vulnerability entries with version ranges, not just one per ecosystem
- Implement version range matching to select correct patch version
- Match package by ecosystem, name, AND version range
- Add comprehensive test for multi-range scenario
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Fix first_patched_version extraction to handle string format
The GitHub Advisory API returns first_patched_version as a simple string
(e.g., "112.0.0"), not an object with an identifier field. Updated
extractPatchVersionId to handle string format primarily while maintaining
backward compatibility with object format.
- Fixed extractPatchVersionId to check for string first
- Updated test mocks to match actual API response format
- Added specific test for RestSharp GHSA-4rr6-2v9v-wcpc case
- Verified with actual API responses from multiple advisories
Fixes issue where patched versions were showing as "N/A" instead of
the actual version number.
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Rebuild dist with patched version fix
The previous fix to extractPatchVersionId wasn't deployed because the dist/
folder (compiled JavaScript) wasn't rebuilt. This commit rebuilds and packages
the action with npm run build && npm run package to include the fix.
Changes in dist/:
- Updated extractPatchVersionId to handle string format first
- Includes all async vulnerability summary logic with API calls
- Properly extracts patched versions from GitHub Advisory API
This should resolve the issue where patched versions showed as "N/A" in
actual GitHub Actions runs.
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
* Add comprehensive debug logging for patch version lookup
Added detailed debug logging to help troubleshoot patch version issues:
- Log when fetching advisory data from API
- Log number of vulnerability entries found
- Log each patch info entry added with details
- Log when no patch version is found
- Log during lookup phase with package details
- Log when patch version is found vs not found
- Log available entries when no match is found
This will make it much easier to diagnose issues in GitHub Actions debug mode.
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com >
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com >
2026-02-06 18:12:20 -05:00
Ahmed ElMallah
98884d411b
Merge pull request #1036 from actions/ae/vuln-fixes
...
Addressing vulnerabilities
2026-01-06 08:12:33 -08:00
ahmed3lmallah
76bfce5cd7
optimize import
2026-01-05 15:50:21 -08:00
ahmed3lmallah
d45151f498
Addressing vulnerabilities
2026-01-05 15:39:34 -08:00
Barry Gordon
774d14bf50
Merge pull request #1020 from actions/dependabot/npm_and_yarn/multi-75e6bc5210
...
Bump js-yaml
2025-11-28 12:56:19 +00:00
Barry Gordon
20b998d4e2
Merge pull request #1024 from actions/brrygrdn/update-glob
...
Upgrade glob to address a vulnerability
2025-11-28 11:46:08 +00:00
Barry Gordon
ad048f729f
Upgrade glob to a fixed version
2025-11-27 18:26:19 +00:00
dependabot[bot]
1d60e0d095
Bump actions/checkout from 4 to 6
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-27 18:20:43 +00:00
Barry Gordon
35ccfd2548
Merge pull request #1005 from actions/dependabot/github_actions/actions/setup-node-6
...
Bump actions/setup-node from 4 to 6
2025-11-27 18:19:46 +00:00
Barry Gordon
a2014a181b
Merge pull request #1003 from actions/dependabot/github_actions/github/codeql-action-4
...
Bump github/codeql-action from 3 to 4
2025-11-27 18:19:21 +00:00
Barry Gordon
1a0268586f
Merge pull request #995 from actions/dependabot/github_actions/actions/stale-10.1.0
...
Bump actions/stale from 9.1.0 to 10.1.0
2025-11-27 18:18:38 +00:00
dependabot[bot]
14edcb1b2a
Bump js-yaml
...
Bumps [js-yaml](https://github.com/nodeca/js-yaml ) to 3.14.2 and updates ancestor dependency . These dependencies need to be updated together.
Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md )
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2 )
Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md )
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2 )
---
updated-dependencies:
- dependency-name: js-yaml
dependency-version: 3.14.2
dependency-type: indirect
- dependency-name: js-yaml
dependency-version: 4.1.1
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-17 22:03:38 +00:00
dependabot[bot]
805c0b2856
Bump actions/setup-node from 4 to 6
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 4 to 6.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](https://github.com/actions/setup-node/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-11 00:20:49 +00:00
Kevin Dangoor
125b995082
Merge pull request #1017 from actions/remove-non-working-workflow
...
GitHub Actions can't push to our protected main
2025-11-10 19:16:56 -05:00
Kevin Dangoor
289863a7c4
GitHub Actions can't push to our protected main
...
Our main branch is protected, which means that our Actions workflow
cannot push changes directly to main. This removes the non-functional
workflow.
2025-11-10 17:46:39 -05:00
Kevin Dangoor
3c4e3dcb1a
Merge pull request #1016 from actions/dra-release
...
4.8.2 release
v4.8.2
2025-11-10 17:45:29 -05:00
Kevin Dangoor
02930b2072
Update CONTRIBUTING to reflect new guidelines
...
External contributors should not build the project and commit
the build output any more.
2025-11-10 17:35:58 -05:00