Kevin Dangoor
38ecb5b593
Merge pull request #929 from actions/dangoor/4.7-release
...
Version 4.7.0 release
v4.7.0
2025-05-08 14:14:35 -04:00
Kevin Dangoor
0e9e935cc8
Version 4.7.0 release
...
Also add a note about the new `LicenseRef-clearlydefined-OTHER`
to the README.
2025-05-08 13:58:56 -04:00
Kevin Dangoor
69d2faa365
Merge pull request #926 from dangoor/dangoor/replace-other
...
Replace OTHER with a LicenseRef
2025-05-07 13:25:04 -04:00
Kevin Dangoor
7e14978e0e
Merge branch 'actions:main' into dangoor/replace-other
2025-05-07 13:08:00 -04:00
Kevin Dangoor
8477905b0e
Merge pull request #927 from dangoor/dangoor/multilicense
...
Handle complex licenses (e.g. X AND Y)
2025-05-07 13:06:06 -04:00
Kevin Dangoor
f3ff3564fa
Update dist
2025-05-06 12:26:28 -04:00
Kevin Dangoor
c7565d44ec
Fix tests and respond to review feedback
2025-05-06 12:25:30 -04:00
Kevin Dangoor
82299c3bbe
Replace OTHER with a LicenseRef
...
ClearlyDefined uses the string `OTHER` for the declared license when
a human has reviewed `NOASSERTION` text and found it to be a valid
license, but one without an SPDX identifier. `OTHER`, unlike
`NOASSERTION`, is not valid. With this change, when `OTHER` appears
in a license string, we'll replace it with
`LicenseRef-clearlydefined-OTHER`, which _is_ valid and will allow
the expressions to parse.
2025-05-06 11:22:50 -04:00
Kevin Dangoor
2013ccccfe
Update type definition for spdx-satisfies
...
I have a PR in with DefinitelyTyped, but this change should allow CI
to pass while that goes through the process.
2025-05-06 11:02:54 -04:00
Kevin Dangoor
3a2b68706a
Handle complex licenses (e.g. X AND Y)
...
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.
The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.
To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17 ).
Fixes https://github.com/actions/dependency-review-action/issues/263
2025-05-05 19:06:50 -04:00
Kevin Dangoor
a87294d992
Revert "Merge pull request #916 from jebeaudet/spdx-support"
...
This reverts commit 5a5d4df8ad , reversing
changes made to 67d4f4bd7a .
2025-05-05 18:43:46 -04:00
Ashely Tenesaca
5a5d4df8ad
Merge pull request #916 from jebeaudet/spdx-support
...
Support SPDX expressions with operators in allow/deny license lists
2025-04-15 11:33:49 -04:00
Jacques-Etienne Beaudet
4eb8182aba
Support SPDX expressions in allow/deny lists
...
This change updates license validation to support full SPDX expressions
(such as 'EPL-1.0 AND LGPL-2.1') in both allow-lists and deny-lists. This
enables the action to correctly validate packages that declare multiple
licenses using SPDX conjunctions like AND/OR, which are common in complex
open-source projects.
Previously, only simple license identifiers were supported, which caused
multi-licensed packages to be improperly flagged as invalid even when
they matched the intent of the allow-list.
The new logic uses `spdx.satisfies()` to evaluate whether a package’s
declared license satisfies any expression in the allow/deny list, and
comprehensive tests have been added to verify behavior for various SPDX
combinations.
This improves compatibility with projects using compound SPDX license
expressions and ensures more accurate license policy enforcement.
2025-04-09 12:19:46 -04:00
Barry Gordon
67d4f4bd7a
Merge pull request #911 from actions/brrygrdn/handle-spdx-updates-as-priority
...
Handle any SPDX dependencies as a priority Dependabot PR
2025-04-04 13:00:44 +01:00
Barry Gordon
d2e453a37e
Handle any SPDX dependencies as a priority PR
2025-04-01 13:52:16 +01:00
Barry Gordon
ce3cf9537a
Merge pull request #910 from actions/brrygrdn/4.6.0-release-candidate
...
Prepare 4.6.0 Release candidate
v4.6.0
2025-04-01 12:33:27 +01:00
Barry Gordon
479b69732e
Prepare 4.6.0
2025-04-01 12:22:08 +01:00
Barry Gordon
aee95908ea
Merge pull request #902 from Pantelis-Santorinios/patch-1
...
Clarify comment-summary-in-pr behaviour
2025-04-01 11:40:30 +01:00
Barry Gordon
080ada6281
Merge pull request #883 from fabasoad/fix/ci
...
Improve usage of this action in dependency-review.yml
2025-04-01 11:36:38 +01:00
Barry Gordon
430e5f0bbf
Merge pull request #884 from fabasoad/fix/863
...
To not print OpenSSF Scorecard section if no dependencies scanned
2025-04-01 11:35:58 +01:00
Barry Gordon
51699b6461
Merge pull request #855 from ailox/ailox/fix/invalid-new-licenses
...
Update transitive dependency spdx-license-ids
2025-04-01 11:33:12 +01:00
Roman Iakovlev
ac9b193beb
Merge pull request #899 from actions/dependabot/npm_and_yarn/octokit/plugin-paginate-rest-9.2.2
...
Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2
2025-03-13 15:37:55 +01:00
Roman Iakovlev
d630451aa0
Pin @octokit/types version for compatibility
2025-03-13 14:34:23 +00:00
Roman Iakovlev
c8dafca32b
Add dist for @octokit/plugin-paginate-rest version bump
2025-03-12 16:55:30 +00:00
dependabot[bot]
bc858b5649
Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2
...
Bumps [@octokit/plugin-paginate-rest](https://github.com/octokit/plugin-paginate-rest.js ) from 9.1.5 to 9.2.2.
- [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases )
- [Commits](https://github.com/octokit/plugin-paginate-rest.js/compare/v9.1.5...v9.2.2 )
---
updated-dependencies:
- dependency-name: "@octokit/plugin-paginate-rest"
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-03-12 16:53:26 +00:00
Roman Iakovlev
cd1541ea8d
Merge pull request #905 from actions/dependabot/npm_and_yarn/babel/helpers-7.26.10
...
Bump @babel/helpers from 7.23.2 to 7.26.10
2025-03-12 15:43:04 +01:00
dependabot[bot]
7bce095f93
Bump @babel/helpers from 7.23.2 to 7.26.10
...
Bumps [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers ) from 7.23.2 to 7.26.10.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-helpers )
---
updated-dependencies:
- dependency-name: "@babel/helpers"
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-03-12 11:42:46 +00:00
Roman Iakovlev
195b0c2e88
Merge pull request #904 from actions/roman/upd
...
Bump octokit and related dependencies
2025-03-12 12:41:41 +01:00
Roman Iakovlev
cdee0bc8c3
Bump octokit and related dependencies
2025-03-12 10:57:15 +00:00
Lewis Jones
0e562a634b
Merge pull request #900 from actions/dependabot/npm_and_yarn/esbuild-0.25.0
...
Bump esbuild from 0.19.5 to 0.25.0
2025-03-07 11:49:50 +00:00
Pantelis
3d00aed36d
Update README.md
2025-03-06 14:43:51 +01:00
dependabot[bot]
2c5ec1eea8
Bump esbuild from 0.19.5 to 0.25.0
...
Bumps [esbuild](https://github.com/evanw/esbuild ) from 0.19.5 to 0.25.0.
- [Release notes](https://github.com/evanw/esbuild/releases )
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md )
- [Commits](https://github.com/evanw/esbuild/compare/v0.19.5...v0.25.0 )
---
updated-dependencies:
- dependency-name: esbuild
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-02-26 20:54:18 +00:00
Eric Sorenson
bf0431a342
Merge pull request #893 from omahs/patch-1
...
Fix typos
2025-02-07 14:27:22 -08:00
omahs
c26b132baa
fix typos
2025-02-07 13:22:20 +01:00
omahs
3ffdd4d73e
fix typos
2025-02-07 13:20:46 +01:00
Ashely Tenesaca
ea2cae5127
Merge pull request #888 from ellenfieldn/allow-deny-package-removal
...
Allow deny package removal
2025-02-06 17:18:15 -05:00
Nathan Ellenfield
dfe560420d
fix formatting and dist
2025-02-05 15:50:50 -05:00
Nathan Ellenfield
e4033dcc29
Merge remote-tracking branch 'origin/main' into allow-deny-package-removal
2025-02-04 13:33:03 -05:00
Ashely Tenesaca
92129e58e4
Merge pull request #891 from actions/ashelytc/server-url-fix
...
DR Action should link to the proxima stamp when appropriate in error messages
2025-02-03 14:46:11 -05:00
Ashely Tenesaca
bf9bc3f2a6
generate dist code
2025-02-03 17:25:46 +00:00
Ashely Tenesaca
d703cf58c3
replace server url with variable
2025-02-03 15:57:21 +00:00
Nathan Ellenfield
c80eb9894b
fixit
2025-01-27 16:01:10 -05:00
Nathan Ellenfield
5e7a6ffc7d
fix: Allow removal denied packages
2025-01-27 16:00:09 -05:00
fabasoad
c665328b35
Make 'None' to be a text instead of list
2025-01-26 22:36:42 +09:00
fabasoad
5370d75f36
To not print OpenSSF Scorecard section if no dependencies scanned
2025-01-25 23:28:54 +09:00
fabasoad
7f3cd87ec0
Fix usage of this action in dependency-review.yml
2025-01-25 23:11:35 +09:00
Ahmed ElMallah
67ca5cc413
Merge pull request #877 from actions/dependabot/npm_and_yarn/undici-5.28.5
...
Bump undici from 5.28.4 to 5.28.5
2025-01-24 12:04:24 -08:00
Ahmed ElMallah
8992b0e1c7
updating dist code
2025-01-24 20:01:21 +00:00
Ahmed ElMallah
5e9a56c6de
Merge pull request #878 from actions/dependabot/github_actions/actions/stale-9.1.0
...
Bump actions/stale from 9.0.0 to 9.1.0
2025-01-24 11:58:00 -08:00
dependabot[bot]
9cd1f01f7f
Bump actions/stale from 9.0.0 to 9.1.0
...
Bumps [actions/stale](https://github.com/actions/stale ) from 9.0.0 to 9.1.0.
- [Release notes](https://github.com/actions/stale/releases )
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/stale/compare/v9.0.0...v9.1.0 )
---
updated-dependencies:
- dependency-name: actions/stale
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-01-24 19:52:48 +00:00