Compare commits

...

69 Commits

Author SHA1 Message Date
Federico Builes 1c59cdf2a9 Fix the unknown licenses error message 2022-06-16 06:03:16 +02:00
Federico Builes 29fc7a23bd Merge pull request #117 from actions/readme-capitalisation
Fixing branding in the readme
2022-06-15 15:40:19 +02:00
Courtney Claessens 903977c63a branding! 2022-06-15 09:32:17 -04:00
Federico Builes aabd50a60d Bumping version to 2.0.1 2022-06-15 15:27:15 +02:00
Federico Builes 981c44c2a9 Merge pull request #116 from actions/unknown-licenses
Unknown licenses
2022-06-15 15:26:38 +02:00
Federico Builes c0d32934e8 Adding dist. 2022-06-15 15:25:21 +02:00
Federico Builes 963fe8045d Always print null licenses. 2022-06-15 15:22:35 +02:00
Federico Builes bf94d94f63 Remove old TODO. 2022-06-15 15:22:14 +02:00
Federico Builes 43ce5df965 Update CONTRIBUTING.md 2022-06-15 14:03:10 +02:00
Federico Builes 24bc5e9934 Updating the CONTRIBUTING.md docs. 2022-06-15 14:01:47 +02:00
Federico Builes 97790d29c7 update version in package.json 2022-06-15 11:55:10 +02:00
Federico Builes 74dbdf9819 Merge pull request #112 from actions/move-config-file
Move configuration file location
2022-06-15 11:53:18 +02:00
Federico Builes f3f3519b2a Merge branch 'main' into move-config-file 2022-06-15 06:43:18 +02:00
Federico Builes 216910dd9a Merge pull request #113 from actions/dependabot/npm_and_yarn/prettier-2.7.0
Bump prettier from 2.6.2 to 2.7.0
2022-06-15 06:42:57 +02:00
dependabot[bot] eb561ba6bd Bump prettier from 2.6.2 to 2.7.0
Bumps [prettier](https://github.com/prettier/prettier) from 2.6.2 to 2.7.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.6.2...2.7.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-15 03:36:59 +00:00
Federico Builes 3f246861d8 Merge pull request #114 from actions/dependabot/npm_and_yarn/types/node-17.0.43
Bump @types/node from 17.0.42 to 17.0.43
2022-06-15 05:36:17 +02:00
Federico Builes faa63c3cba adding dist 2022-06-15 05:21:16 +02:00
Courtney Claessens dfd519642f Update schemas.ts 2022-06-14 22:37:00 -04:00
Courtney Claessens 871f4064a1 adding doc for protected branches 2022-06-14 22:32:34 -04:00
dependabot[bot] d6f6abdda3 Bump @types/node from 17.0.42 to 17.0.43
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.42 to 17.0.43.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-15 01:44:34 +00:00
Courtney Claessens 54764c9203 Update README.md
adding some clarity to failing on severity; naming formatting, update example for v2
2022-06-14 12:16:03 -04:00
Federico Builes c6587b663d Updating README with instructions for unknown licenses. 2022-06-14 14:11:01 +02:00
Federico Builes 42e2bc1ed2 Handle unknown licenses. 2022-06-14 13:54:27 +02:00
Federico Builes 0b87f02bee Document how we test inputs 2022-06-14 13:00:18 +02:00
Federico Builes 00be2ce1fc Typos. 2022-06-14 12:27:56 +02:00
Federico Builes 2860b57e48 Update README.md 2022-06-14 12:24:27 +02:00
Federico Builes fd6e756c7b Updating readConfig() to be more readable, get rid of typecasts.
Co-authored-by: Henri Maurer <hmaurer@github.com>
2022-06-14 11:29:13 +02:00
Federico Builes f83a407eb9 Use the correct name for allowlists. 2022-06-14 09:46:59 +02:00
Federico Builes b0e1f384d7 Linting YAML 2022-06-14 09:05:05 +02:00
Federico Builes c973154c92 Dashes instead of underscores. 2022-06-14 07:50:25 +02:00
Federico Builes 3355ec4be5 adding dist 2022-06-14 07:44:17 +02:00
Federico Builes 76ad37608d Adding more tests for the config file. 2022-06-14 07:42:51 +02:00
Federico Builes 3eff3f5918 let => const 2022-06-14 07:42:13 +02:00
Federico Builes 7278093fa0 Clarify some of the error messages. 2022-06-14 07:41:37 +02:00
Federico Builes b5b49104d4 Adding the config definition to action.yml 2022-06-14 07:40:16 +02:00
Federico Builes e56fe29417 Remove old config file. 2022-06-14 07:38:45 +02:00
Federico Builes cc3101831d Updating dist. 2022-06-14 07:04:33 +02:00
Federico Builes ef97470a0f Don't set the defaults in the test :/ 2022-06-14 07:04:26 +02:00
Federico Builes efecf6fd09 Remove the variables from env so they don't default to empty strings. 2022-06-14 06:49:18 +02:00
Federico Builes 24d7ef3c5d Use an empty config options type. 2022-06-14 06:48:58 +02:00
Federico Builes 01fa67b82e adding dist 2022-06-14 06:26:18 +02:00
Federico Builes 1791775ce6 temp commit 2022-06-14 05:57:43 +02:00
Federico Builes 92f1ecaaea Merge pull request #106 from actions/adding-lists
Adding allow and deny lists
2022-06-14 04:45:37 +02:00
Federico Builes 47d4ff9127 Merge pull request #111 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.28.0
Bump @typescript-eslint/parser from 5.27.1 to 5.28.0
2022-06-14 04:45:19 +02:00
dependabot[bot] 9c5310eee9 Bump @typescript-eslint/parser from 5.27.1 to 5.28.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.27.1 to 5.28.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.28.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-14 02:44:10 +00:00
Federico Builes d616ba30f2 Merge pull request #110 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.28.0
Bump @typescript-eslint/eslint-plugin from 5.27.1 to 5.28.0
2022-06-14 04:43:24 +02:00
dependabot[bot] 7181a20a1f Bump @typescript-eslint/eslint-plugin from 5.27.1 to 5.28.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.27.1 to 5.28.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.28.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-14 01:45:00 +00:00
Federico Builes eebebcdc2a Use real PURLs in tests 2022-06-13 20:19:01 +02:00
Federico Builes 571f236610 Improved wording on license messages. 2022-06-13 20:08:16 +02:00
Federico Builes fe78920139 Document unwanted behavior for a future refactoring. 2022-06-13 20:04:39 +02:00
Federico Builes bd115a9b66 Merge pull request #108 from actions/dependabot/npm_and_yarn/types/node-17.0.42
Bump @types/node from 17.0.40 to 17.0.42
2022-06-13 11:36:18 +02:00
dependabot[bot] 72a5a0f647 Bump @types/node from 17.0.40 to 17.0.42
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.40 to 17.0.42.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-13 01:44:57 +00:00
Federico Builes 21412fec7b fixing dist check 2022-06-09 10:46:00 +02:00
Federico Builes 0777fbe61e Updating dist. 2022-06-09 10:42:56 +02:00
Federico Builes cc22dcd654 Use undefined instead of null when dealing with lists. 2022-06-09 10:42:31 +02:00
Federico Builes 6b5518a9ed Adding more docs to licenses.ts 2022-06-09 10:33:05 +02:00
Federico Builes 20cca5c0c4 The default settings should not use []. 2022-06-08 18:28:10 +02:00
Federico Builes a51db20961 Use null for unspecified values when filtering licenses. 2022-06-08 18:21:28 +02:00
Federico Builes a7d02aef82 adding dist 2022-06-08 17:47:06 +02:00
Federico Builes 4ac3d318ab Refactoring on PR feedback. 2022-06-08 17:45:42 +02:00
Federico Builes 25271922eb Clarify variable names. 2022-06-08 15:53:14 +02:00
Federico Builes 4474253eb8 Merge branch 'main' into adding-lists 2022-06-07 06:23:53 +02:00
Federico Builes 56e63b1bc5 adding dist 2022-06-06 20:32:46 +02:00
Federico Builes 2ae9a2d51b Add logic for denied licenses. 2022-06-06 20:32:46 +02:00
Federico Builes 1261e18905 Clarify license tests. 2022-06-06 20:32:46 +02:00
Federico Builes dc7b0a2788 Show an error when disallowed dependencies show up. 2022-06-06 20:32:46 +02:00
Federico Builes 06297bf229 Fixing failing tests 2022-06-06 20:32:46 +02:00
Federico Builes bccacf9708 Skeleton for license validation. 2022-06-06 20:32:46 +02:00
Federico Builes 8c646c1c91 Get rid of redundant variables. 2022-06-06 20:32:46 +02:00
19 changed files with 605 additions and 8508 deletions
-8
View File
@@ -1,8 +0,0 @@
fail_on_severity: low
allow_licenses:
- 'GPL 3.0'
- 'BSD 3 Clause'
- 'MIT'
#deny_licenses:
# - "LGPL 2.0"
# - "BSD 2 Clause"
+13
View File
@@ -0,0 +1,13 @@
{
"version": "0.1.0",
"configurations": [
{
"name": "Debug Jest Tests",
"type": "node",
"request": "launch",
"runtimeArgs": ["--inspect-brk", "${workspaceRoot}/node_modules/.bin/jest", "--runInBand", "--coverage", "false"],
"console": "integratedTerminal",
"internalConsoleOptions": "neverOpen"
}
]
}
+33
View File
@@ -73,6 +73,39 @@ Here are a few things you can do that will increase the likelihood of your pull
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
## Cutting a new release
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
2. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
3. Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
4. Use a version number for the release title (e.g. "1.2.3").
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
5. Add your release notes. If this is a major version make sure to
include a small description of the biggest changes in the new version.
6. Click "Publish Release".
You now have a tag and release using the semver version you used
above. The last remaining thing to do is to move the dynamic version
identifier to match the current SHA. This allows users to adopt a
major version number (e.g. `v1`) in their workflows while
automatically getting all the
minor/patch updates.
To do this just force-create a new annotated tag and push it:
```
git tag -fa v1 -m "Updating v1 tag"
git push origin v1 --force
```
## Resources
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+93 -4
View File
@@ -2,7 +2,7 @@
This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
@@ -25,10 +25,99 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1
uses: actions/dependency-review-action@v2
```
Please keep in mind that you need a GitHub Advanced Security license if you're running this Action on private repos.
Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.
## Configuration
You can pass additional options to the Dependency Review
Action using your workflow file. Here's an example workflow with
all the possible configurations:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# You can only can only include one of these two options: `allow-licenses` and `deny-licences`
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# deny-licenses: LGPL-2.0, BSD-2-Clause
```
### Vulnerability Severity
By default the action will fail on any pull request that contains a
vulnerable dependency, regardless of the severity level. You can override this behavior by
using the `fail-on-severity` option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: `critical`, `high`, `moderate`, or `low`. The
action defaults to `low`.
This example will only fail on pull requests with `critical` and `high` vulnerabilities:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: high
```
### Licenses
You can set the action to fail on pull requests based on the licenses of the dependencies
they introduce. With `allow-licenses` you can define the list of licenses
your repository will accept. Alternatively, you can use `deny-licenses` to only
forbid a subset of licenses.
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
supported licenses. Use the `spdx_id` field for every license you want
to filter. A couple of examples:
```yaml
# only allow MIT-licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
allow-licenses: MIT
```
```yaml
# Block Apache 1.1 and 2.0 licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
deny-licenses: Apache-1.1, Apache-2.0
```
**Important**
* The action will only accept one of the two parameters; an error will
be raised if you provide both.
* By default both parameters are empty (no license checking is
performed).
* We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
## Blocking pull requests
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
## Getting help
@@ -37,7 +126,7 @@ issue](https://github.com/actions/dependency-review-action/issues/new/choose).
## Contributing
We are grateful for any contributions made to this project.
We are grateful for any contributions made to this project.
Please read [CONTRIBUTING.MD](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md) to get started.
+45 -10
View File
@@ -1,18 +1,53 @@
import {expect, test} from '@jest/globals'
import {readConfigFile} from '../src/config'
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
test('reads the config file', async () => {
let options = readConfigFile('./__tests__/fixtures/config-allow-sample.yml')
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
function setInput(input: string, value: string) {
process.env[`INPUT_${input.toUpperCase()}`] = value
}
// We want a clean ENV before each test. We use `delete`
// since we want `undefined` values and not empty strings.
function clearInputs() {
delete process.env['INPUT_FAIL-ON-SEVERITY']
delete process.env['INPUT_ALLOW-LICENSES']
delete process.env['INPUT_DENY-LICENSES']
}
beforeEach(() => {
clearInputs()
})
test('it defaults to low severity', async () => {
const options = readConfig()
expect(options.fail_on_severity).toEqual('low')
})
test('it reads custom configs', async () => {
setInput('fail-on-severity', 'critical')
setInput('allow-licenses', ' BSD, GPL 2')
const options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('the default config path handles .yml and .yaml', async () => {
expect(true).toEqual(true)
test('it defaults to empty allow/deny lists ', async () => {
const options = readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
})
test('returns a default config when the config file was not found', async () => {
let options = readConfigFile('fixtures/i-dont-exist')
expect(options.fail_on_severity).toEqual('low')
expect(options.allow_licenses).toEqual([])
test('it raises an error if both an allow and denylist are specified', async () => {
setInput('allow-licenses', 'MIT')
setInput('deny-licenses', 'BSD')
expect(() => readConfig()).toThrow()
})
test('it raises an error when given an unknown severity', async () => {
setInput('fail-on-severity', 'zombies')
expect(() => readConfig()).toThrow()
})
+2 -2
View File
@@ -8,7 +8,7 @@ let npmChange: Change = {
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'somepurl',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
@@ -27,7 +27,7 @@ let rubyChange: Change = {
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'somerubypurl',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
@@ -0,0 +1,2 @@
allow_licenses: []
deny_licenses: []
@@ -0,0 +1 @@
fail_on_severity: critical
+70
View File
@@ -0,0 +1,70 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {getDeniedLicenseChanges} from '../src/licenses'
let npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerouns',
advisory_url: 'github.com/future-funk'
}
]
}
let rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerouns',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
test('it fails if a license outside the allow list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges[0]).toBe(npmChange)
})
test('it fails if a license inside the deny list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
expect(invalidChanges[0]).toBe(rubyChange)
})
// This is more of a "here's a behavior that might be surprising" than an actual
// thing we want in the system. Please remove this test after refactoring.
test('it fails all license checks when allow is provided an empty array', async () => {
const changes: Changes = [npmChange, rubyChange]
let [invalidChanges, _] = getDeniedLicenseChanges(changes, {
allow: [],
deny: ['BSD']
})
expect(invalidChanges.length).toBe(2)
})
+11 -1
View File
@@ -3,9 +3,19 @@ description: 'Prevent the introduction of dependencies with known vulnerabilitie
author: 'GitHub'
inputs:
repo-token:
description: 'Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.'
description: Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.
required: false
default: ${{ github.token }}
fail-on-severity:
description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
required: false
default: 'low'
allow-licenses:
description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
deny-licenses:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+105 -8327
View File
File diff suppressed because it is too large Load Diff
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
-17
View File
@@ -684,23 +684,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
yaml
ISC
Copyright Eemeli Aro <eemeli@gmail.com>
Permission to use, copy, modify, and/or distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright notice
and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
THIS SOFTWARE.
zod
MIT
MIT License
+96 -96
View File
@@ -1,12 +1,12 @@
{
"name": "dependency-review-action",
"version": "0.0.1",
"version": "2.0.1",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "dependency-review-action",
"version": "0.0.1",
"version": "2.0.1",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.8.2",
@@ -20,9 +20,9 @@
"zod": "^3.17.3"
},
"devDependencies": {
"@types/node": "^17.0.40",
"@typescript-eslint/eslint-plugin": "^5.27.1",
"@typescript-eslint/parser": "^5.27.1",
"@types/node": "^17.0.43",
"@typescript-eslint/eslint-plugin": "^5.28.0",
"@typescript-eslint/parser": "^5.28.0",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.17.0",
@@ -31,7 +31,7 @@
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.16",
"prettier": "2.6.2",
"prettier": "2.7.0",
"ts-jest": "^27.1.4",
"typescript": "^4.7.3"
}
@@ -1366,9 +1366,9 @@
}
},
"node_modules/@types/node": {
"version": "17.0.40",
"resolved": "https://registry.npmjs.org/@types/node/-/node-17.0.40.tgz",
"integrity": "sha512-UXdBxNGqTMtm7hCwh9HtncFVLrXoqA3oJW30j6XWp5BH/wu3mVeaxo7cq5benFdBw34HB3XDT2TRPI7rXZ+mDg=="
"version": "17.0.43",
"resolved": "https://registry.npmjs.org/@types/node/-/node-17.0.43.tgz",
"integrity": "sha512-jnUpgw8fL9kP2iszfIDyBQtw5Mf4/XSqy0Loc1J9pI14ejL83XcCEvSf50Gs/4ET0I9VCCDoOfufQysj0S66xA=="
},
"node_modules/@types/prettier": {
"version": "2.4.4",
@@ -1406,14 +1406,14 @@
"dev": true
},
"node_modules/@typescript-eslint/eslint-plugin": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.27.1.tgz",
"integrity": "sha512-6dM5NKT57ZduNnJfpY81Phe9nc9wolnMCnknb1im6brWi1RYv84nbMS3olJa27B6+irUVV1X/Wb+Am0FjJdGFw==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.28.0.tgz",
"integrity": "sha512-DXVU6Cg29H2M6EybqSg2A+x8DgO9TCUBRp4QEXQHJceLS7ogVDP0g3Lkg/SZCqcvkAP/RruuQqK0gdlkgmhSUA==",
"dev": true,
"dependencies": {
"@typescript-eslint/scope-manager": "5.27.1",
"@typescript-eslint/type-utils": "5.27.1",
"@typescript-eslint/utils": "5.27.1",
"@typescript-eslint/scope-manager": "5.28.0",
"@typescript-eslint/type-utils": "5.28.0",
"@typescript-eslint/utils": "5.28.0",
"debug": "^4.3.4",
"functional-red-black-tree": "^1.0.1",
"ignore": "^5.2.0",
@@ -1454,14 +1454,14 @@
}
},
"node_modules/@typescript-eslint/parser": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.27.1.tgz",
"integrity": "sha512-7Va2ZOkHi5NP+AZwb5ReLgNF6nWLGTeUJfxdkVUAPPSaAdbWNnFZzLZ4EGGmmiCTg+AwlbE1KyUYTBglosSLHQ==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.28.0.tgz",
"integrity": "sha512-ekqoNRNK1lAcKhZESN/PdpVsWbP9jtiNqzFWkp/yAUdZvJalw2heCYuqRmM5eUJSIYEkgq5sGOjq+ZqsLMjtRA==",
"dev": true,
"dependencies": {
"@typescript-eslint/scope-manager": "5.27.1",
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/typescript-estree": "5.27.1",
"@typescript-eslint/scope-manager": "5.28.0",
"@typescript-eslint/types": "5.28.0",
"@typescript-eslint/typescript-estree": "5.28.0",
"debug": "^4.3.4"
},
"engines": {
@@ -1481,13 +1481,13 @@
}
},
"node_modules/@typescript-eslint/scope-manager": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.27.1.tgz",
"integrity": "sha512-fQEOSa/QroWE6fAEg+bJxtRZJTH8NTskggybogHt4H9Da8zd4cJji76gA5SBlR0MgtwF7rebxTbDKB49YUCpAg==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.28.0.tgz",
"integrity": "sha512-LeBLTqF/he1Z+boRhSqnso6YrzcKMTQ8bO/YKEe+6+O/JGof9M0g3IJlIsqfrK/6K03MlFIlycbf1uQR1IjE+w==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/visitor-keys": "5.27.1"
"@typescript-eslint/types": "5.28.0",
"@typescript-eslint/visitor-keys": "5.28.0"
},
"engines": {
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -1498,12 +1498,12 @@
}
},
"node_modules/@typescript-eslint/type-utils": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.27.1.tgz",
"integrity": "sha512-+UC1vVUWaDHRnC2cQrCJ4QtVjpjjCgjNFpg8b03nERmkHv9JV9X5M19D7UFMd+/G7T/sgFwX2pGmWK38rqyvXw==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.28.0.tgz",
"integrity": "sha512-SyKjKh4CXPglueyC6ceAFytjYWMoPHMswPQae236zqe1YbhvCVQyIawesYywGiu98L9DwrxsBN69vGIVxJ4mQQ==",
"dev": true,
"dependencies": {
"@typescript-eslint/utils": "5.27.1",
"@typescript-eslint/utils": "5.28.0",
"debug": "^4.3.4",
"tsutils": "^3.21.0"
},
@@ -1524,9 +1524,9 @@
}
},
"node_modules/@typescript-eslint/types": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.27.1.tgz",
"integrity": "sha512-LgogNVkBhCTZU/m8XgEYIWICD6m4dmEDbKXESCbqOXfKZxRKeqpiJXQIErv66sdopRKZPo5l32ymNqibYEH/xg==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.28.0.tgz",
"integrity": "sha512-2OOm8ZTOQxqkPbf+DAo8oc16sDlVR5owgJfKheBkxBKg1vAfw2JsSofH9+16VPlN9PWtv8Wzhklkqw3k/zCVxA==",
"dev": true,
"engines": {
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -1537,13 +1537,13 @@
}
},
"node_modules/@typescript-eslint/typescript-estree": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.27.1.tgz",
"integrity": "sha512-DnZvvq3TAJ5ke+hk0LklvxwYsnXpRdqUY5gaVS0D4raKtbznPz71UJGnPTHEFo0GDxqLOLdMkkmVZjSpET1hFw==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.28.0.tgz",
"integrity": "sha512-9GX+GfpV+F4hdTtYc6OV9ZkyYilGXPmQpm6AThInpBmKJEyRSIjORJd1G9+bknb7OTFYL+Vd4FBJAO6T78OVqA==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/visitor-keys": "5.27.1",
"@typescript-eslint/types": "5.28.0",
"@typescript-eslint/visitor-keys": "5.28.0",
"debug": "^4.3.4",
"globby": "^11.1.0",
"is-glob": "^4.0.3",
@@ -1579,15 +1579,15 @@
}
},
"node_modules/@typescript-eslint/utils": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.27.1.tgz",
"integrity": "sha512-mZ9WEn1ZLDaVrhRaYgzbkXBkTPghPFsup8zDbbsYTxC5OmqrFE7skkKS/sraVsLP3TcT3Ki5CSyEFBRkLH/H/w==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.28.0.tgz",
"integrity": "sha512-E60N5L0fjv7iPJV3UGc4EC+A3Lcj4jle9zzR0gW7vXhflO7/J29kwiTGITA2RlrmPokKiZbBy2DgaclCaEUs6g==",
"dev": true,
"dependencies": {
"@types/json-schema": "^7.0.9",
"@typescript-eslint/scope-manager": "5.27.1",
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/typescript-estree": "5.27.1",
"@typescript-eslint/scope-manager": "5.28.0",
"@typescript-eslint/types": "5.28.0",
"@typescript-eslint/typescript-estree": "5.28.0",
"eslint-scope": "^5.1.1",
"eslint-utils": "^3.0.0"
},
@@ -1603,12 +1603,12 @@
}
},
"node_modules/@typescript-eslint/visitor-keys": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.27.1.tgz",
"integrity": "sha512-xYs6ffo01nhdJgPieyk7HAOpjhTsx7r/oB9LWEhwAXgwn33tkr+W8DI2ChboqhZlC4q3TC6geDYPoiX8ROqyOQ==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.28.0.tgz",
"integrity": "sha512-BtfP1vCor8cWacovzzPFOoeW4kBQxzmhxGoOpt0v1SFvG+nJ0cWaVdJk7cky1ArTcFHHKNIxyo2LLr3oNkSuXA==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/types": "5.28.0",
"eslint-visitor-keys": "^3.3.0"
},
"engines": {
@@ -6153,9 +6153,9 @@
}
},
"node_modules/prettier": {
"version": "2.6.2",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.6.2.tgz",
"integrity": "sha512-PkUpF+qoXTqhOeWL9fu7As8LXsIUZ1WYaJiY/a7McAQzxjk82OF0tibkFXVCDImZtWxbvojFjerkiLb0/q8mew==",
"version": "2.7.0",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.7.0.tgz",
"integrity": "sha512-nwoX4GMFgxoPC6diHvSwmK/4yU8FFH3V8XWtLQrbj4IBsK2pkYhG4kf/ljF/haaZ/aii+wNJqISrCDPgxGWDVQ==",
"dev": true,
"bin": {
"prettier": "bin-prettier.js"
@@ -8555,9 +8555,9 @@
}
},
"@types/node": {
"version": "17.0.40",
"resolved": "https://registry.npmjs.org/@types/node/-/node-17.0.40.tgz",
"integrity": "sha512-UXdBxNGqTMtm7hCwh9HtncFVLrXoqA3oJW30j6XWp5BH/wu3mVeaxo7cq5benFdBw34HB3XDT2TRPI7rXZ+mDg=="
"version": "17.0.43",
"resolved": "https://registry.npmjs.org/@types/node/-/node-17.0.43.tgz",
"integrity": "sha512-jnUpgw8fL9kP2iszfIDyBQtw5Mf4/XSqy0Loc1J9pI14ejL83XcCEvSf50Gs/4ET0I9VCCDoOfufQysj0S66xA=="
},
"@types/prettier": {
"version": "2.4.4",
@@ -8595,14 +8595,14 @@
"dev": true
},
"@typescript-eslint/eslint-plugin": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.27.1.tgz",
"integrity": "sha512-6dM5NKT57ZduNnJfpY81Phe9nc9wolnMCnknb1im6brWi1RYv84nbMS3olJa27B6+irUVV1X/Wb+Am0FjJdGFw==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.28.0.tgz",
"integrity": "sha512-DXVU6Cg29H2M6EybqSg2A+x8DgO9TCUBRp4QEXQHJceLS7ogVDP0g3Lkg/SZCqcvkAP/RruuQqK0gdlkgmhSUA==",
"dev": true,
"requires": {
"@typescript-eslint/scope-manager": "5.27.1",
"@typescript-eslint/type-utils": "5.27.1",
"@typescript-eslint/utils": "5.27.1",
"@typescript-eslint/scope-manager": "5.28.0",
"@typescript-eslint/type-utils": "5.28.0",
"@typescript-eslint/utils": "5.28.0",
"debug": "^4.3.4",
"functional-red-black-tree": "^1.0.1",
"ignore": "^5.2.0",
@@ -8623,52 +8623,52 @@
}
},
"@typescript-eslint/parser": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.27.1.tgz",
"integrity": "sha512-7Va2ZOkHi5NP+AZwb5ReLgNF6nWLGTeUJfxdkVUAPPSaAdbWNnFZzLZ4EGGmmiCTg+AwlbE1KyUYTBglosSLHQ==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.28.0.tgz",
"integrity": "sha512-ekqoNRNK1lAcKhZESN/PdpVsWbP9jtiNqzFWkp/yAUdZvJalw2heCYuqRmM5eUJSIYEkgq5sGOjq+ZqsLMjtRA==",
"dev": true,
"requires": {
"@typescript-eslint/scope-manager": "5.27.1",
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/typescript-estree": "5.27.1",
"@typescript-eslint/scope-manager": "5.28.0",
"@typescript-eslint/types": "5.28.0",
"@typescript-eslint/typescript-estree": "5.28.0",
"debug": "^4.3.4"
}
},
"@typescript-eslint/scope-manager": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.27.1.tgz",
"integrity": "sha512-fQEOSa/QroWE6fAEg+bJxtRZJTH8NTskggybogHt4H9Da8zd4cJji76gA5SBlR0MgtwF7rebxTbDKB49YUCpAg==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.28.0.tgz",
"integrity": "sha512-LeBLTqF/he1Z+boRhSqnso6YrzcKMTQ8bO/YKEe+6+O/JGof9M0g3IJlIsqfrK/6K03MlFIlycbf1uQR1IjE+w==",
"dev": true,
"requires": {
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/visitor-keys": "5.27.1"
"@typescript-eslint/types": "5.28.0",
"@typescript-eslint/visitor-keys": "5.28.0"
}
},
"@typescript-eslint/type-utils": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.27.1.tgz",
"integrity": "sha512-+UC1vVUWaDHRnC2cQrCJ4QtVjpjjCgjNFpg8b03nERmkHv9JV9X5M19D7UFMd+/G7T/sgFwX2pGmWK38rqyvXw==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.28.0.tgz",
"integrity": "sha512-SyKjKh4CXPglueyC6ceAFytjYWMoPHMswPQae236zqe1YbhvCVQyIawesYywGiu98L9DwrxsBN69vGIVxJ4mQQ==",
"dev": true,
"requires": {
"@typescript-eslint/utils": "5.27.1",
"@typescript-eslint/utils": "5.28.0",
"debug": "^4.3.4",
"tsutils": "^3.21.0"
}
},
"@typescript-eslint/types": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.27.1.tgz",
"integrity": "sha512-LgogNVkBhCTZU/m8XgEYIWICD6m4dmEDbKXESCbqOXfKZxRKeqpiJXQIErv66sdopRKZPo5l32ymNqibYEH/xg==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.28.0.tgz",
"integrity": "sha512-2OOm8ZTOQxqkPbf+DAo8oc16sDlVR5owgJfKheBkxBKg1vAfw2JsSofH9+16VPlN9PWtv8Wzhklkqw3k/zCVxA==",
"dev": true
},
"@typescript-eslint/typescript-estree": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.27.1.tgz",
"integrity": "sha512-DnZvvq3TAJ5ke+hk0LklvxwYsnXpRdqUY5gaVS0D4raKtbznPz71UJGnPTHEFo0GDxqLOLdMkkmVZjSpET1hFw==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.28.0.tgz",
"integrity": "sha512-9GX+GfpV+F4hdTtYc6OV9ZkyYilGXPmQpm6AThInpBmKJEyRSIjORJd1G9+bknb7OTFYL+Vd4FBJAO6T78OVqA==",
"dev": true,
"requires": {
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/visitor-keys": "5.27.1",
"@typescript-eslint/types": "5.28.0",
"@typescript-eslint/visitor-keys": "5.28.0",
"debug": "^4.3.4",
"globby": "^11.1.0",
"is-glob": "^4.0.3",
@@ -8688,26 +8688,26 @@
}
},
"@typescript-eslint/utils": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.27.1.tgz",
"integrity": "sha512-mZ9WEn1ZLDaVrhRaYgzbkXBkTPghPFsup8zDbbsYTxC5OmqrFE7skkKS/sraVsLP3TcT3Ki5CSyEFBRkLH/H/w==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.28.0.tgz",
"integrity": "sha512-E60N5L0fjv7iPJV3UGc4EC+A3Lcj4jle9zzR0gW7vXhflO7/J29kwiTGITA2RlrmPokKiZbBy2DgaclCaEUs6g==",
"dev": true,
"requires": {
"@types/json-schema": "^7.0.9",
"@typescript-eslint/scope-manager": "5.27.1",
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/typescript-estree": "5.27.1",
"@typescript-eslint/scope-manager": "5.28.0",
"@typescript-eslint/types": "5.28.0",
"@typescript-eslint/typescript-estree": "5.28.0",
"eslint-scope": "^5.1.1",
"eslint-utils": "^3.0.0"
}
},
"@typescript-eslint/visitor-keys": {
"version": "5.27.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.27.1.tgz",
"integrity": "sha512-xYs6ffo01nhdJgPieyk7HAOpjhTsx7r/oB9LWEhwAXgwn33tkr+W8DI2ChboqhZlC4q3TC6geDYPoiX8ROqyOQ==",
"version": "5.28.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.28.0.tgz",
"integrity": "sha512-BtfP1vCor8cWacovzzPFOoeW4kBQxzmhxGoOpt0v1SFvG+nJ0cWaVdJk7cky1ArTcFHHKNIxyo2LLr3oNkSuXA==",
"dev": true,
"requires": {
"@typescript-eslint/types": "5.27.1",
"@typescript-eslint/types": "5.28.0",
"eslint-visitor-keys": "^3.3.0"
}
},
@@ -12112,9 +12112,9 @@
"dev": true
},
"prettier": {
"version": "2.6.2",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.6.2.tgz",
"integrity": "sha512-PkUpF+qoXTqhOeWL9fu7As8LXsIUZ1WYaJiY/a7McAQzxjk82OF0tibkFXVCDImZtWxbvojFjerkiLb0/q8mew==",
"version": "2.7.0",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.7.0.tgz",
"integrity": "sha512-nwoX4GMFgxoPC6diHvSwmK/4yU8FFH3V8XWtLQrbj4IBsK2pkYhG4kf/ljF/haaZ/aii+wNJqISrCDPgxGWDVQ==",
"dev": true
},
"prettier-linter-helpers": {
+6 -6
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "0.0.1",
"version": "2.0.1",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -36,9 +36,9 @@
"zod": "^3.17.3"
},
"devDependencies": {
"@types/node": "^17.0.40",
"@typescript-eslint/eslint-plugin": "^5.27.1",
"@typescript-eslint/parser": "^5.27.1",
"@types/node": "^17.0.43",
"@typescript-eslint/eslint-plugin": "^5.28.0",
"@typescript-eslint/parser": "^5.28.0",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.17.0",
@@ -47,8 +47,8 @@
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.16",
"prettier": "2.6.2",
"prettier": "2.7.0",
"ts-jest": "^27.1.4",
"typescript": "^4.7.3"
}
}
}
+25 -31
View File
@@ -1,33 +1,27 @@
import * as fs from 'fs'
import YAML from 'yaml'
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
import path from 'path'
import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, SEVERITIES} from './schemas'
export const CONFIG_FILEPATH = './.github/dependency-review.yml'
export function readConfigFile(
filePath: string = CONFIG_FILEPATH
): ConfigurationOptions {
// By default we want to fail on all severities and allow all licenses.
const defaultOptions: ConfigurationOptions = {
fail_on_severity: 'low',
allow_licenses: []
}
let data
try {
data = fs.readFileSync(path.resolve(filePath), 'utf-8')
} catch (error: any) {
if (error.code && error.code === 'ENOENT') {
return defaultOptions
} else {
throw error
}
}
const values = YAML.parse(data)
const parsed = ConfigurationOptionsSchema.parse(values)
return parsed
function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name)
return value.length > 0 ? value : undefined
}
export function readConfig(): ConfigurationOptions {
const fail_on_severity = z
.enum(SEVERITIES)
.default('low')
.parse(getOptionalInput('fail-on-severity'))
const allow_licenses = getOptionalInput('allow-licenses')
const deny_licenses = getOptionalInput('deny-licenses')
if (allow_licenses !== undefined && deny_licenses !== undefined) {
throw new Error("Can't specify both allow_licenses and deny_licenses")
}
return {
fail_on_severity,
allow_licenses: allow_licenses?.split(',').map(x => x.trim()),
deny_licenses: deny_licenses?.split(',').map(x => x.trim())
}
}
+45
View File
@@ -0,0 +1,45 @@
import {Change, ChangeSchema} from './schemas'
/**
* Loops through a list of changes, filtering and returning the
* ones that don't conform to the licenses allow/deny lists.
*
* Keep in mind that we don't let users specify both an allow and a deny
* list in their config files, so this code works under the assumption that
* one of the two list parameters will be empty. If both lists are provided,
* we will ignore the deny list.
* @param {Change[]} changes The list of changes to filter.
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
* @returns {[Array<Change>, Array<Change]} A tuple where the first element is the list of denied changes and the second one is the list of changes with unknown licenses
*/
export function getDeniedLicenseChanges(
changes: Array<Change>,
licenses: {
allow?: Array<string>
deny?: Array<string>
}
): [Array<Change>, Array<Change>] {
let {allow, deny} = licenses
let disallowed: Change[] = []
let unknown: Change[] = []
for (const change of changes) {
let license = change.license
if (license === null) {
unknown.push(change)
continue
}
if (allow !== undefined) {
if (!allow.includes(license)) {
disallowed.push(change)
}
} else if (deny !== undefined) {
if (deny.includes(license)) {
disallowed.push(change)
}
}
}
return [disallowed, unknown]
}
+56 -4
View File
@@ -4,8 +4,9 @@ import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, PullRequestSchema, Severity} from './schemas'
import {readConfigFile} from '../src/config'
import {readConfig} from '../src/config'
import {filterChangesBySeverity} from '../src/filter'
import {getDeniedLicenseChanges} from './licenses'
async function run(): Promise<void> {
try {
@@ -26,10 +27,15 @@ async function run(): Promise<void> {
headRef: pull_request.head.sha
})
let config = readConfigFile()
let config = readConfig()
let minSeverity = config.fail_on_severity
let failed = false
let licenses = {
allow: config.allow_licenses,
deny: config.deny_licenses
}
let filteredChanges = filterChangesBySeverity(
minSeverity as Severity,
changes
@@ -46,11 +52,23 @@ async function run(): Promise<void> {
}
}
let [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
changes,
licenses
)
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors, licenses)
core.setFailed('Dependency review detected incompatible licenses.')
}
printNullLicenses(unknownLicenses)
if (failed) {
throw new Error('Dependency review detected vulnerable packages.')
core.setFailed('Dependency review detected vulnerable packages.')
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or above.`
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
} catch (error) {
@@ -99,4 +117,38 @@ function renderSeverity(
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
}
function printLicensesError(
changes: Array<Change>,
licenses: {
allow?: Array<string>
deny?: Array<string>
}
): void {
if (changes.length == 0) {
return
}
let {allow = [], deny = []} = licenses
core.info('\nThe following dependencies have incompatible licenses:\n')
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close} License: ${styles.color.red.open}${change.license}${styles.color.red.close}`
)
}
}
function printNullLicenses(changes: Array<Change>): void {
if (changes.length === 0) {
return
}
core.info('\nWe could not detect a license for the following dependencies:\n')
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close}`
)
}
}
run()
+1 -1
View File
@@ -39,7 +39,7 @@ export const ConfigurationOptionsSchema = z
.partial()
.refine(
obj => !(obj.allow_licenses && obj.deny_licenses),
"Can't specify both allow_licenses and deny_licenses"
"Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other."
)
export const ChangesSchema = z.array(ChangeSchema)