1808 Commits

Author SHA1 Message Date
Kevin Dangoor 38ecb5b593 Merge pull request #929 from actions/dangoor/4.7-release
Version 4.7.0 release
v4.7.0
2025-05-08 14:14:35 -04:00
Kevin Dangoor 0e9e935cc8 Version 4.7.0 release
Also add a note about the new `LicenseRef-clearlydefined-OTHER`
to the README.
2025-05-08 13:58:56 -04:00
Kevin Dangoor 69d2faa365 Merge pull request #926 from dangoor/dangoor/replace-other
Replace OTHER with a LicenseRef
2025-05-07 13:25:04 -04:00
Kevin Dangoor 7e14978e0e Merge branch 'actions:main' into dangoor/replace-other 2025-05-07 13:08:00 -04:00
Kevin Dangoor 8477905b0e Merge pull request #927 from dangoor/dangoor/multilicense
Handle complex licenses (e.g. X AND Y)
2025-05-07 13:06:06 -04:00
Kevin Dangoor f3ff3564fa Update dist 2025-05-06 12:26:28 -04:00
Kevin Dangoor c7565d44ec Fix tests and respond to review feedback 2025-05-06 12:25:30 -04:00
Kevin Dangoor 82299c3bbe Replace OTHER with a LicenseRef
ClearlyDefined uses the string `OTHER` for the declared license when
a human has reviewed `NOASSERTION` text and found it to be a valid
license, but one without an SPDX identifier. `OTHER`, unlike
`NOASSERTION`, is not valid. With this change, when `OTHER` appears
in a license string, we'll replace it with
`LicenseRef-clearlydefined-OTHER`, which _is_ valid and will allow
the expressions to parse.
2025-05-06 11:22:50 -04:00
Kevin Dangoor 2013ccccfe Update type definition for spdx-satisfies
I have a PR in with DefinitelyTyped, but this change should allow CI
to pass while that goes through the process.
2025-05-06 11:02:54 -04:00
Kevin Dangoor 3a2b68706a Handle complex licenses (e.g. X AND Y)
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
2025-05-05 19:06:50 -04:00
Kevin Dangoor a87294d992 Revert "Merge pull request #916 from jebeaudet/spdx-support"
This reverts commit 5a5d4df8ad, reversing
changes made to 67d4f4bd7a.
2025-05-05 18:43:46 -04:00
Ashely Tenesaca 5a5d4df8ad Merge pull request #916 from jebeaudet/spdx-support
Support SPDX expressions with operators in allow/deny license lists
2025-04-15 11:33:49 -04:00
Jacques-Etienne Beaudet 4eb8182aba Support SPDX expressions in allow/deny lists
This change updates license validation to support full SPDX expressions
(such as 'EPL-1.0 AND LGPL-2.1') in both allow-lists and deny-lists. This
enables the action to correctly validate packages that declare multiple
licenses using SPDX conjunctions like AND/OR, which are common in complex
open-source projects.

Previously, only simple license identifiers were supported, which caused
multi-licensed packages to be improperly flagged as invalid even when
they matched the intent of the allow-list.

The new logic uses `spdx.satisfies()` to evaluate whether a package’s
declared license satisfies any expression in the allow/deny list, and
comprehensive tests have been added to verify behavior for various SPDX
combinations.

This improves compatibility with projects using compound SPDX license
expressions and ensures more accurate license policy enforcement.
2025-04-09 12:19:46 -04:00
Barry Gordon 67d4f4bd7a Merge pull request #911 from actions/brrygrdn/handle-spdx-updates-as-priority
Handle any SPDX dependencies as a priority Dependabot PR
2025-04-04 13:00:44 +01:00
Barry Gordon d2e453a37e Handle any SPDX dependencies as a priority PR 2025-04-01 13:52:16 +01:00
Barry Gordon ce3cf9537a Merge pull request #910 from actions/brrygrdn/4.6.0-release-candidate
Prepare 4.6.0 Release candidate
v4.6.0
2025-04-01 12:33:27 +01:00
Barry Gordon 479b69732e Prepare 4.6.0 2025-04-01 12:22:08 +01:00
Barry Gordon aee95908ea Merge pull request #902 from Pantelis-Santorinios/patch-1
Clarify comment-summary-in-pr behaviour
2025-04-01 11:40:30 +01:00
Barry Gordon 080ada6281 Merge pull request #883 from fabasoad/fix/ci
Improve usage of this action in dependency-review.yml
2025-04-01 11:36:38 +01:00
Barry Gordon 430e5f0bbf Merge pull request #884 from fabasoad/fix/863
To not print OpenSSF Scorecard section if no dependencies scanned
2025-04-01 11:35:58 +01:00
Barry Gordon 51699b6461 Merge pull request #855 from ailox/ailox/fix/invalid-new-licenses
Update transitive dependency spdx-license-ids
2025-04-01 11:33:12 +01:00
Roman Iakovlev ac9b193beb Merge pull request #899 from actions/dependabot/npm_and_yarn/octokit/plugin-paginate-rest-9.2.2
Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2
2025-03-13 15:37:55 +01:00
Roman Iakovlev d630451aa0 Pin @octokit/types version for compatibility 2025-03-13 14:34:23 +00:00
Roman Iakovlev c8dafca32b Add dist for @octokit/plugin-paginate-rest version bump 2025-03-12 16:55:30 +00:00
dependabot[bot] bc858b5649 Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2
Bumps [@octokit/plugin-paginate-rest](https://github.com/octokit/plugin-paginate-rest.js) from 9.1.5 to 9.2.2.
- [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases)
- [Commits](https://github.com/octokit/plugin-paginate-rest.js/compare/v9.1.5...v9.2.2)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-paginate-rest"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-12 16:53:26 +00:00
Roman Iakovlev cd1541ea8d Merge pull request #905 from actions/dependabot/npm_and_yarn/babel/helpers-7.26.10
Bump @babel/helpers from 7.23.2 to 7.26.10
2025-03-12 15:43:04 +01:00
dependabot[bot] 7bce095f93 Bump @babel/helpers from 7.23.2 to 7.26.10
Bumps [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) from 7.23.2 to 7.26.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-helpers)

---
updated-dependencies:
- dependency-name: "@babel/helpers"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-12 11:42:46 +00:00
Roman Iakovlev 195b0c2e88 Merge pull request #904 from actions/roman/upd
Bump octokit and related dependencies
2025-03-12 12:41:41 +01:00
Roman Iakovlev cdee0bc8c3 Bump octokit and related dependencies 2025-03-12 10:57:15 +00:00
Lewis Jones 0e562a634b Merge pull request #900 from actions/dependabot/npm_and_yarn/esbuild-0.25.0
Bump esbuild from 0.19.5 to 0.25.0
2025-03-07 11:49:50 +00:00
Pantelis 3d00aed36d Update README.md 2025-03-06 14:43:51 +01:00
dependabot[bot] 2c5ec1eea8 Bump esbuild from 0.19.5 to 0.25.0
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.19.5 to 0.25.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.19.5...v0.25.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-26 20:54:18 +00:00
Eric Sorenson bf0431a342 Merge pull request #893 from omahs/patch-1
Fix typos
2025-02-07 14:27:22 -08:00
omahs c26b132baa fix typos 2025-02-07 13:22:20 +01:00
omahs 3ffdd4d73e fix typos 2025-02-07 13:20:46 +01:00
Ashely Tenesaca ea2cae5127 Merge pull request #888 from ellenfieldn/allow-deny-package-removal
Allow deny package removal
2025-02-06 17:18:15 -05:00
Nathan Ellenfield dfe560420d fix formatting and dist 2025-02-05 15:50:50 -05:00
Nathan Ellenfield e4033dcc29 Merge remote-tracking branch 'origin/main' into allow-deny-package-removal 2025-02-04 13:33:03 -05:00
Ashely Tenesaca 92129e58e4 Merge pull request #891 from actions/ashelytc/server-url-fix
DR Action should link to the proxima stamp when appropriate in error messages
2025-02-03 14:46:11 -05:00
Ashely Tenesaca bf9bc3f2a6 generate dist code 2025-02-03 17:25:46 +00:00
Ashely Tenesaca d703cf58c3 replace server url with variable 2025-02-03 15:57:21 +00:00
Nathan Ellenfield c80eb9894b fixit 2025-01-27 16:01:10 -05:00
Nathan Ellenfield 5e7a6ffc7d fix: Allow removal denied packages 2025-01-27 16:00:09 -05:00
fabasoad c665328b35 Make 'None' to be a text instead of list 2025-01-26 22:36:42 +09:00
fabasoad 5370d75f36 To not print OpenSSF Scorecard section if no dependencies scanned 2025-01-25 23:28:54 +09:00
fabasoad 7f3cd87ec0 Fix usage of this action in dependency-review.yml 2025-01-25 23:11:35 +09:00
Ahmed ElMallah 67ca5cc413 Merge pull request #877 from actions/dependabot/npm_and_yarn/undici-5.28.5
Bump undici from 5.28.4 to 5.28.5
2025-01-24 12:04:24 -08:00
Ahmed ElMallah 8992b0e1c7 updating dist code 2025-01-24 20:01:21 +00:00
Ahmed ElMallah 5e9a56c6de Merge pull request #878 from actions/dependabot/github_actions/actions/stale-9.1.0
Bump actions/stale from 9.0.0 to 9.1.0
2025-01-24 11:58:00 -08:00
dependabot[bot] 9cd1f01f7f Bump actions/stale from 9.0.0 to 9.1.0
Bumps [actions/stale](https://github.com/actions/stale) from 9.0.0 to 9.1.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/v9.0.0...v9.1.0)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-24 19:52:48 +00:00