Compare commits

...

48 Commits

Author SHA1 Message Date
Federico Builes 654eb5ca1c Updating README.md 2023-04-06 21:42:26 +02:00
Federico Builes 9885d0c74c Remove default values in action.yml 2023-04-06 21:33:35 +02:00
Federico Builes cebb5b1214 Don't use underscore for inline configs. 2023-04-06 21:33:24 +02:00
Federico Builes 50b918791f Update README. 2023-04-06 17:59:34 +02:00
Federico Builes 3f6a17c81c Update examples to use underscores instead of dashes. 2023-04-06 17:58:58 +02:00
Federico Builes 2c065db296 Add a test-helpers file. 2023-04-06 17:32:42 +02:00
Federico Builes ff46a4b16e Fixing failing test. 2023-04-06 17:11:29 +02:00
Federico Builes 153f274eb4 Mock octokit. 2023-04-06 17:11:16 +02:00
Federico Builes 0041d7fa41 Add a failing test. 2023-04-06 16:21:52 +02:00
Federico Builes 97c9465751 separate tests for external configs 2023-04-05 15:14:57 +02:00
Federico Builes 8b0d4b3327 Merge pull request #446 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.57.0
Bump @typescript-eslint/eslint-plugin from 5.56.0 to 5.57.0
2023-04-03 11:05:13 +02:00
Federico Builes 8c24360582 Merge pull request #448 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.7.0
Bump eslint-plugin-github from 4.6.1 to 4.7.0
2023-04-03 11:04:36 +02:00
dependabot[bot] 80be5a7079 Bump @typescript-eslint/eslint-plugin from 5.56.0 to 5.57.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.56.0 to 5.57.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.57.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 05:10:30 +00:00
dependabot[bot] 35bd59fb9e Bump eslint-plugin-github from 4.6.1 to 4.7.0
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.6.1 to 4.7.0.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.6.1...v4.7.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 05:09:05 +00:00
Federico Builes b7ce9d546d Merge pull request #447 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.57.0
Bump @typescript-eslint/parser from 5.56.0 to 5.57.0
2023-04-03 07:02:10 +02:00
Federico Builes 5875c70f8f Merge pull request #449 from actions/dependabot/npm_and_yarn/types/node-16.18.23
Bump @types/node from 16.18.21 to 16.18.23
2023-04-03 07:01:49 +02:00
Federico Builes 43274f6899 Merge pull request #450 from actions/dependabot/npm_and_yarn/eslint-8.37.0
Bump eslint from 8.36.0 to 8.37.0
2023-04-03 07:01:31 +02:00
dependabot[bot] 81d482fe7f Bump eslint from 8.36.0 to 8.37.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.36.0 to 8.37.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.36.0...v8.37.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 02:02:13 +00:00
dependabot[bot] 420f61c64a Bump @types/node from 16.18.21 to 16.18.23
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.21 to 16.18.23.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 02:01:46 +00:00
dependabot[bot] 866b422c9e Bump @typescript-eslint/parser from 5.56.0 to 5.57.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.56.0 to 5.57.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.57.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 02:00:49 +00:00
Federico Builes 91eae64e0c Merge pull request #442 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.56.0
Bump @typescript-eslint/eslint-plugin from 5.55.0 to 5.56.0
2023-03-27 07:57:20 +02:00
Federico Builes f5f2eae995 Merge pull request #441 from actions/dependabot/npm_and_yarn/nodemon-2.0.22
Bump nodemon from 2.0.21 to 2.0.22
2023-03-27 07:37:18 +02:00
dependabot[bot] 355bcf860e Bump @typescript-eslint/eslint-plugin from 5.55.0 to 5.56.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.55.0 to 5.56.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.56.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 05:32:56 +00:00
dependabot[bot] 5726b20f6c Bump nodemon from 2.0.21 to 2.0.22
Bumps [nodemon](https://github.com/remy/nodemon) from 2.0.21 to 2.0.22.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v2.0.21...v2.0.22)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 05:32:36 +00:00
Federico Builes 4d05b525ee Merge pull request #444 from actions/dependabot/npm_and_yarn/prettier-2.8.7
Bump prettier from 2.8.4 to 2.8.7
2023-03-27 07:32:04 +02:00
Federico Builes 81ee3a8dc8 Merge pull request #443 from actions/dependabot/npm_and_yarn/types/node-16.18.21
Bump @types/node from 16.18.16 to 16.18.21
2023-03-27 07:31:53 +02:00
Federico Builes 3b871daeea Merge pull request #440 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.56.0
Bump @typescript-eslint/parser from 5.55.0 to 5.56.0
2023-03-27 07:31:31 +02:00
dependabot[bot] 3f5b40d019 Bump prettier from 2.8.4 to 2.8.7
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.4 to 2.8.7.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.4...2.8.7)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 02:06:07 +00:00
dependabot[bot] 89b3ba9416 Bump @types/node from 16.18.16 to 16.18.21
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.16 to 16.18.21.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 02:05:34 +00:00
dependabot[bot] a44d7c538d Bump @typescript-eslint/parser from 5.55.0 to 5.56.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.55.0 to 5.56.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.56.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 02:01:38 +00:00
Federico Builes f46c48ed6d bumping version 2023-03-20 07:22:20 +01:00
Federico Builes 1ac6f5d754 Merge pull request #437 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.55.0
Bump @typescript-eslint/eslint-plugin from 5.54.1 to 5.55.0
2023-03-20 06:47:27 +01:00
dependabot[bot] 30049aaf02 Bump @typescript-eslint/eslint-plugin from 5.54.1 to 5.55.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.54.1 to 5.55.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.55.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-20 05:45:47 +00:00
Federico Builes 02b3fbad1c Merge pull request #436 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.55.0
Bump @typescript-eslint/parser from 5.54.1 to 5.55.0
2023-03-20 06:44:51 +01:00
Federico Builes 5c5feeb63d Merge pull request #435 from actions/dependabot/npm_and_yarn/types/node-16.18.16
Bump @types/node from 16.18.14 to 16.18.16
2023-03-20 06:44:19 +01:00
dependabot[bot] 85bb8372bf Bump @typescript-eslint/parser from 5.54.1 to 5.55.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.54.1 to 5.55.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.55.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-20 02:15:06 +00:00
dependabot[bot] 463aece43a Bump @types/node from 16.18.14 to 16.18.16
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.14 to 16.18.16.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-20 02:14:20 +00:00
Federico Builes e3fb5152be Merge pull request #426 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.54.1
Bump @typescript-eslint/eslint-plugin from 5.54.0 to 5.54.1
2023-03-13 09:29:06 +01:00
Federico Builes 4b088f072a Merge pull request #427 from actions/dependabot/npm_and_yarn/zod-3.21.4
Bump zod from 3.21.0 to 3.21.4
2023-03-13 09:28:51 +01:00
dependabot[bot] e46d65f438 Bump @typescript-eslint/eslint-plugin from 5.54.0 to 5.54.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.54.0 to 5.54.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.54.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 07:08:40 +00:00
Federico Builes 75222ed640 adding dist 2023-03-13 08:02:02 +01:00
Federico Builes f46bc4dbf8 Merge pull request #428 from actions/dependabot/npm_and_yarn/eslint-8.36.0
Bump eslint from 8.35.0 to 8.36.0
2023-03-13 08:00:22 +01:00
Federico Builes e0a5088fd6 Merge pull request #429 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.54.1
Bump @typescript-eslint/parser from 5.53.0 to 5.54.1
2023-03-13 08:00:01 +01:00
dependabot[bot] f1f8f2bf88 Bump @typescript-eslint/parser from 5.53.0 to 5.54.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.53.0 to 5.54.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.54.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 02:06:48 +00:00
dependabot[bot] 453f5e3690 Bump eslint from 8.35.0 to 8.36.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.35.0 to 8.36.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.35.0...v8.36.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 02:06:12 +00:00
dependabot[bot] 6a47644794 Bump zod from 3.21.0 to 3.21.4
Bumps [zod](https://github.com/colinhacks/zod) from 3.21.0 to 3.21.4.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.21.0...v3.21.4)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 02:05:51 +00:00
Federico Builes d11e757f70 No support for custom branches note in README. 2023-03-06 09:13:40 +01:00
Federico Builes 63e5e62dba Merge pull request #416 from davelosert/adjust_summary_format
Adjust summary format
2023-03-06 09:10:58 +01:00
11 changed files with 475 additions and 851 deletions
+5 -4
View File
@@ -1,7 +1,7 @@
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
@@ -128,11 +128,12 @@ Start by specifying that you will be using an external configuration file:
config-file: './.github/dependency-review-config.yml'
```
And then create the file in the path you just specified:
And then create the file in the path you just specified. Please note
that the **option names in external files use underscores instead of dashes**:
```yaml
fail-on-severity: 'critical'
allow-licenses:
fail_on_severity: 'critical'
allow_licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
+1 -93
View File
@@ -2,35 +2,7 @@ import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {getRefs} from '../src/git-refs'
import * as Utils from '../src/utils'
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
function setInput(input: string, value: string): void {
process.env[`INPUT_${input.toUpperCase()}`] = value
}
// We want a clean ENV before each test. We use `delete`
// since we want `undefined` values and not empty strings.
function clearInputs(): void {
const allowedOptions = [
'FAIL-ON-SEVERITY',
'FAIL-ON-SCOPES',
'ALLOW-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'LICENSE-CHECK',
'VULNERABILITY-CHECK',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
]
// eslint-disable-next-line github/array-foreach
allowedOptions.forEach(option => {
delete process.env[`INPUT_${option.toUpperCase()}`]
})
}
import {setInput, clearInputs} from './test-helpers'
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
@@ -105,60 +77,6 @@ test('it raises an error when no refs are provided and the event is not a pull r
).toThrow()
})
test('it reads an external config file', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('raises an error when the config file was not found', async () => {
setInput('config-file', 'fixtures/i-dont-exist')
await expect(readConfig()).rejects.toThrow(/Unable to fetch/)
})
test('it parses options from both sources', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
let config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
setInput('base-ref', 'a-custom-base-ref')
config = await readConfig()
expect(config.base_ref).toEqual('a-custom-base-ref')
})
test('in case of conflicts, the inline config is the source of truth', async () => {
setInput('fail-on-severity', 'low')
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml') // this will set fail-on-severity to 'critical'
const config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it uses the default values when loading external files', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
let config = await readConfig()
expect(config.allow_licenses).toEqual(undefined)
expect(config.deny_licenses).toEqual(undefined)
setInput('config-file', './__tests__/fixtures/license-config-sample.yml')
config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it accepts an external configuration filename', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
})
test('it raises an error when given an unknown severity in an external config file', async () => {
setInput('config-file', './__tests__/fixtures/invalid-severity-config.yml')
await expect(readConfig()).rejects.toThrow()
})
test('it defaults to runtime scope', async () => {
const config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime'])
@@ -234,16 +152,6 @@ test('it is not possible to disable both checks', async () => {
)
})
test('it supports comma-separated lists', async () => {
setInput(
'config-file',
'./__tests__/fixtures/inline-license-config-sample.yml'
)
const config = await readConfig()
expect(config.allow_licenses).toEqual(['MIT', 'GPL-2.0-only'])
})
describe('licenses that are not valid SPDX licenses', () => {
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
+111
View File
@@ -0,0 +1,111 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import * as Utils from '../src/utils'
import {setInput, clearInputs} from './test-helpers'
const externalConfig = `fail_on_severity: 'high'
allow_licenses: ['GPL-2.0-only']
`
const mockOctokit = {
rest: {
repos: {
getContent: jest.fn().mockReturnValue({data: externalConfig})
}
}
}
jest.mock('octokit', () => {
return {
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
Octokit: class {
constructor() {
return mockOctokit
}
}
}
})
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})
beforeEach(() => {
clearInputs()
})
test('it reads an external config file', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('raises an error when the config file was not found', async () => {
setInput('config-file', 'fixtures/i-dont-exist')
await expect(readConfig()).rejects.toThrow(/Unable to fetch/)
})
test('it parses options from both sources', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
let config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
setInput('base-ref', 'a-custom-base-ref')
config = await readConfig()
expect(config.base_ref).toEqual('a-custom-base-ref')
})
test('in case of conflicts, the inline config is the source of truth', async () => {
setInput('fail-on-severity', 'low')
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml') // this will set fail-on-severity to 'critical'
const config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it uses the default values when loading external files', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
let config = await readConfig()
expect(config.allow_licenses).toEqual(undefined)
expect(config.deny_licenses).toEqual(undefined)
setInput('config-file', './__tests__/fixtures/license-config-sample.yml')
config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it accepts an external configuration filename', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
})
test('it raises an error when given an unknown severity in an external config file', async () => {
setInput('config-file', './__tests__/fixtures/invalid-severity-config.yml')
await expect(readConfig()).rejects.toThrow()
})
test('it supports comma-separated lists', async () => {
setInput(
'config-file',
'./__tests__/fixtures/inline-license-config-sample.yml'
)
const config = await readConfig()
expect(config.allow_licenses).toEqual(['MIT', 'GPL-2.0-only'])
})
test('it reads a config file hosted in another repo', async () => {
setInput(
'config-file',
'future-funk/anyone-cualkiera/external-config.yml@main'
)
setInput('external-repo-token', 'gh_viptoken')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('high')
expect(config.allow_licenses).toEqual(['GPL-2.0-only'])
})
@@ -1 +1 @@
allow-licenses: MIT, GPL-2.0-only
allow-licenses: "MIT, GPL-2.0-only"
@@ -1,3 +1,3 @@
fail-on-severity: 'so many zombies'
deny-licenses:
fail_on_severity: 'so many zombies'
deny_licenses:
- MIT
+28
View File
@@ -0,0 +1,28 @@
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
export function setInput(input: string, value: string): void {
process.env[`INPUT_${input.toUpperCase()}`] = value
}
// We want a clean ENV before each test. We use `delete`
// since we want `undefined` values and not empty strings.
export function clearInputs(): void {
const allowedOptions = [
'FAIL-ON-SEVERITY',
'FAIL-ON-SCOPES',
'ALLOW-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'LICENSE-CHECK',
'VULNERABILITY-CHECK',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
]
// eslint-disable-next-line github/array-foreach
allowedOptions.forEach(option => {
delete process.env[`INPUT_${option.toUpperCase()}`]
})
}
+2 -2
View File
@@ -1,3 +1,5 @@
# Avoid using default values for options here since they will
# end up overriding external configurations.
name: 'Dependency Review'
description: 'Prevent the introduction of dependencies with known vulnerabilities'
author: 'GitHub'
@@ -9,11 +11,9 @@ inputs:
fail-on-severity:
description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
required: false
default: 'low'
fail-on-scopes:
description: Dependency scopes to block PRs on. Comma-separated list. Possible values are 'unknown', 'runtime', and 'development' (e.g. "runtime, development")
required: false
default: 'runtime'
base-ref:
description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
required: false
Generated Vendored
+101 -224
View File
@@ -40903,7 +40903,6 @@ class ZodError extends Error {
};
const actualProto = new.target.prototype;
if (Object.setPrototypeOf) {
// eslint-disable-next-line ban/ban
Object.setPrototypeOf(this, actualProto);
}
else {
@@ -40943,13 +40942,6 @@ class ZodError extends Error {
const terminal = i === issue.path.length - 1;
if (!terminal) {
curr[el] = curr[el] || { _errors: [] };
// if (typeof el === "string") {
// curr[el] = curr[el] || { _errors: [] };
// } else if (typeof el === "number") {
// const errorArray: any = [];
// errorArray._errors = [];
// curr[el] = curr[el] || errorArray;
// }
}
else {
curr[el] = curr[el] || { _errors: [] };
@@ -41111,7 +41103,7 @@ function addIssueToContext(ctx, issueData) {
ctx.common.contextualErrorMap,
ctx.schemaErrorMap,
(0, errors_1.getErrorMap)(),
en_1.default, // then global default map
en_1.default,
].filter((x) => !!x),
});
ctx.common.issues.push(issue);
@@ -41205,7 +41197,7 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.getParsedType = exports.ZodParsedType = exports.util = void 0;
exports.getParsedType = exports.ZodParsedType = exports.objectUtil = exports.util = void 0;
var util;
(function (util) {
util.assertEqual = (val) => val;
@@ -41235,8 +41227,8 @@ var util;
return obj[e];
});
};
util.objectKeys = typeof Object.keys === "function" // eslint-disable-line ban/ban
? (obj) => Object.keys(obj) // eslint-disable-line ban/ban
util.objectKeys = typeof Object.keys === "function"
? (obj) => Object.keys(obj)
: (object) => {
const keys = [];
for (const key in object) {
@@ -41254,7 +41246,7 @@ var util;
return undefined;
};
util.isInteger = typeof Number.isInteger === "function"
? (val) => Number.isInteger(val) // eslint-disable-line ban/ban
? (val) => Number.isInteger(val)
: (val) => typeof val === "number" && isFinite(val) && Math.floor(val) === val;
function joinValues(array, separator = " | ") {
return array
@@ -41269,6 +41261,15 @@ var util;
return value;
};
})(util = exports.util || (exports.util = {}));
var objectUtil;
(function (objectUtil) {
objectUtil.mergeShapes = (first, second) => {
return {
...first,
...second,
};
};
})(objectUtil = exports.objectUtil || (exports.objectUtil = {}));
exports.ZodParsedType = util.arrayToEnum([
"string",
"nan",
@@ -41422,7 +41423,13 @@ const errorMap = (issue, _ctx) => {
break;
case ZodError_1.ZodIssueCode.invalid_string:
if (typeof issue.validation === "object") {
if ("startsWith" in issue.validation) {
if ("includes" in issue.validation) {
message = `Invalid input: must include "${issue.validation.includes}"`;
if (typeof issue.validation.position === "number") {
message = `${message} at one or more positions greater than or equal to ${issue.validation.position}`;
}
}
else if ("startsWith" in issue.validation) {
message = `Invalid input: must start with "${issue.validation.startsWith}"`;
}
else if ("endsWith" in issue.validation) {
@@ -41514,8 +41521,8 @@ exports["default"] = errorMap;
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.date = exports.boolean = exports.bigint = exports.array = exports.any = exports.coerce = exports.ZodFirstPartyTypeKind = exports.late = exports.ZodSchema = exports.Schema = exports.custom = exports.ZodPipeline = exports.ZodBranded = exports.BRAND = exports.ZodNaN = exports.ZodCatch = exports.ZodDefault = exports.ZodNullable = exports.ZodOptional = exports.ZodTransformer = exports.ZodEffects = exports.ZodPromise = exports.ZodNativeEnum = exports.ZodEnum = exports.ZodLiteral = exports.ZodLazy = exports.ZodFunction = exports.ZodSet = exports.ZodMap = exports.ZodRecord = exports.ZodTuple = exports.ZodIntersection = exports.ZodDiscriminatedUnion = exports.ZodUnion = exports.ZodObject = exports.objectUtil = exports.ZodArray = exports.ZodVoid = exports.ZodNever = exports.ZodUnknown = exports.ZodAny = exports.ZodNull = exports.ZodUndefined = exports.ZodSymbol = exports.ZodDate = exports.ZodBoolean = exports.ZodBigInt = exports.ZodNumber = exports.ZodString = exports.ZodType = void 0;
exports.NEVER = exports["void"] = exports.unknown = exports.union = exports.undefined = exports.tuple = exports.transformer = exports.symbol = exports.string = exports.strictObject = exports.set = exports.record = exports.promise = exports.preprocess = exports.pipeline = exports.ostring = exports.optional = exports.onumber = exports.oboolean = exports.object = exports.number = exports.nullable = exports["null"] = exports.never = exports.nativeEnum = exports.nan = exports.map = exports.literal = exports.lazy = exports.intersection = exports["instanceof"] = exports["function"] = exports["enum"] = exports.effect = exports.discriminatedUnion = void 0;
exports.discriminatedUnion = exports.date = exports.boolean = exports.bigint = exports.array = exports.any = exports.coerce = exports.ZodFirstPartyTypeKind = exports.late = exports.ZodSchema = exports.Schema = exports.custom = exports.ZodPipeline = exports.ZodBranded = exports.BRAND = exports.ZodNaN = exports.ZodCatch = exports.ZodDefault = exports.ZodNullable = exports.ZodOptional = exports.ZodTransformer = exports.ZodEffects = exports.ZodPromise = exports.ZodNativeEnum = exports.ZodEnum = exports.ZodLiteral = exports.ZodLazy = exports.ZodFunction = exports.ZodSet = exports.ZodMap = exports.ZodRecord = exports.ZodTuple = exports.ZodIntersection = exports.ZodDiscriminatedUnion = exports.ZodUnion = exports.ZodObject = exports.ZodArray = exports.ZodVoid = exports.ZodNever = exports.ZodUnknown = exports.ZodAny = exports.ZodNull = exports.ZodUndefined = exports.ZodSymbol = exports.ZodDate = exports.ZodBoolean = exports.ZodBigInt = exports.ZodNumber = exports.ZodString = exports.ZodType = void 0;
exports.NEVER = exports["void"] = exports.unknown = exports.union = exports.undefined = exports.tuple = exports.transformer = exports.symbol = exports.string = exports.strictObject = exports.set = exports.record = exports.promise = exports.preprocess = exports.pipeline = exports.ostring = exports.optional = exports.onumber = exports.oboolean = exports.object = exports.number = exports.nullable = exports["null"] = exports.never = exports.nativeEnum = exports.nan = exports.map = exports.literal = exports.lazy = exports.intersection = exports["instanceof"] = exports["function"] = exports["enum"] = exports.effect = void 0;
const errors_1 = __nccwpck_require__(9566);
const errorUtil_1 = __nccwpck_require__(2513);
const parseUtil_1 = __nccwpck_require__(888);
@@ -41523,13 +41530,22 @@ const util_1 = __nccwpck_require__(3985);
const ZodError_1 = __nccwpck_require__(9892);
class ParseInputLazyPath {
constructor(parent, value, path, key) {
this._cachedPath = [];
this.parent = parent;
this.data = value;
this._path = path;
this._key = key;
}
get path() {
return this._path.concat(this._key);
if (!this._cachedPath.length) {
if (this._key instanceof Array) {
this._cachedPath.push(...this._path, ...this._key);
}
else {
this._cachedPath.push(...this._path, this._key);
}
}
return this._cachedPath;
}
}
const handleResult = (ctx, result) => {
@@ -41540,8 +41556,16 @@ const handleResult = (ctx, result) => {
if (!ctx.common.issues.length) {
throw new Error("Validation failed but no issues detected.");
}
const error = new ZodError_1.ZodError(ctx.common.issues);
return { success: false, error };
return {
success: false,
get error() {
if (this._error)
return this._error;
const error = new ZodError_1.ZodError(ctx.common.issues);
this._error = error;
return this._error;
},
};
}
};
function processCreateParams(params) {
@@ -41565,7 +41589,6 @@ function processCreateParams(params) {
}
class ZodType {
constructor(def) {
/** Alias of safeParseAsync */
this.spa = this.safeParseAsync;
this._def = def;
this.parse = this.parse.bind(this);
@@ -41817,19 +41840,12 @@ exports.Schema = ZodType;
exports.ZodSchema = ZodType;
const cuidRegex = /^c[^\s-]{8,}$/i;
const cuid2Regex = /^[a-z][a-z0-9]*$/;
const ulidRegex = /[0-9A-HJKMNP-TV-Z]{26}/;
const uuidRegex = /^([a-f0-9]{8}-[a-f0-9]{4}-[1-5][a-f0-9]{3}-[a-f0-9]{4}-[a-f0-9]{12}|00000000-0000-0000-0000-000000000000)$/i;
// from https://stackoverflow.com/a/46181/1550155
// old version: too slow, didn't support unicode
// const emailRegex = /^((([a-z]|\d|[!#\$%&'\*\+\-\/=\?\^_`{\|}~]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])+(\.([a-z]|\d|[!#\$%&'\*\+\-\/=\?\^_`{\|}~]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])+)*)|((\x22)((((\x20|\x09)*(\x0d\x0a))?(\x20|\x09)+)?(([\x01-\x08\x0b\x0c\x0e-\x1f\x7f]|\x21|[\x23-\x5b]|[\x5d-\x7e]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(\\([\x01-\x09\x0b\x0c\x0d-\x7f]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]))))*(((\x20|\x09)*(\x0d\x0a))?(\x20|\x09)+)?(\x22)))@((([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])*([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])))\.)+(([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])*([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])))$/i;
//old email regex
// const emailRegex = /^(([^<>()[\].,;:\s@"]+(\.[^<>()[\].,;:\s@"]+)*)|(".+"))@((?!-)([^<>()[\].,;:\s@"]+\.)+[^<>()[\].,;:\s@"]{1,})[^-<>()[\].,;:\s@"]$/i;
// eslint-disable-next-line
const emailRegex = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\])|(\[IPv6:(([a-f0-9]{1,4}:){7}|::([a-f0-9]{1,4}:){0,6}|([a-f0-9]{1,4}:){1}:([a-f0-9]{1,4}:){0,5}|([a-f0-9]{1,4}:){2}:([a-f0-9]{1,4}:){0,4}|([a-f0-9]{1,4}:){3}:([a-f0-9]{1,4}:){0,3}|([a-f0-9]{1,4}:){4}:([a-f0-9]{1,4}:){0,2}|([a-f0-9]{1,4}:){5}:([a-f0-9]{1,4}:){0,1})([a-f0-9]{1,4}|(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2})))\])|([A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])*(\.[A-Za-z]{2,})+))$/;
// from https://thekevinscott.com/emojis-in-javascript/#writing-a-regular-expression
const emojiRegex = /^(\p{Extended_Pictographic}|\p{Emoji_Component})+$/u;
const ipv4Regex = /^(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))$/;
const ipv6Regex = /^(([a-f0-9]{1,4}:){7}|::([a-f0-9]{1,4}:){0,6}|([a-f0-9]{1,4}:){1}:([a-f0-9]{1,4}:){0,5}|([a-f0-9]{1,4}:){2}:([a-f0-9]{1,4}:){0,4}|([a-f0-9]{1,4}:){3}:([a-f0-9]{1,4}:){0,3}|([a-f0-9]{1,4}:){4}:([a-f0-9]{1,4}:){0,2}|([a-f0-9]{1,4}:){5}:([a-f0-9]{1,4}:){0,1})([a-f0-9]{1,4}|(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2})))$/;
// Adapted from https://stackoverflow.com/a/3143231
const datetimeRegex = (args) => {
if (args.precision) {
if (args.offset) {
@@ -41873,10 +41889,6 @@ class ZodString extends ZodType {
code: ZodError_1.ZodIssueCode.invalid_string,
...errorUtil_1.errorUtil.errToObj(message),
});
/**
* @deprecated Use z.string().min(1) instead.
* @see {@link ZodString.min}
*/
this.nonempty = (message) => this.min(1, errorUtil_1.errorUtil.errToObj(message));
this.trim = () => new ZodString({
...this._def,
@@ -41902,9 +41914,7 @@ class ZodString extends ZodType {
code: ZodError_1.ZodIssueCode.invalid_type,
expected: util_1.ZodParsedType.string,
received: ctx.parsedType,
}
//
);
});
return parseUtil_1.INVALID;
}
const status = new parseUtil_1.ParseStatus();
@@ -42021,6 +42031,17 @@ class ZodString extends ZodType {
status.dirty();
}
}
else if (check.kind === "ulid") {
if (!ulidRegex.test(input.data)) {
ctx = this._getOrReturnCtx(input, ctx);
(0, parseUtil_1.addIssueToContext)(ctx, {
validation: "ulid",
code: ZodError_1.ZodIssueCode.invalid_string,
message: check.message,
});
status.dirty();
}
}
else if (check.kind === "url") {
try {
new URL(input.data);
@@ -42051,6 +42072,17 @@ class ZodString extends ZodType {
else if (check.kind === "trim") {
input.data = input.data.trim();
}
else if (check.kind === "includes") {
if (!input.data.includes(check.value, check.position)) {
ctx = this._getOrReturnCtx(input, ctx);
(0, parseUtil_1.addIssueToContext)(ctx, {
code: ZodError_1.ZodIssueCode.invalid_string,
validation: { includes: check.value, position: check.position },
message: check.message,
});
status.dirty();
}
}
else if (check.kind === "toLowerCase") {
input.data = input.data.toLowerCase();
}
@@ -42132,6 +42164,9 @@ class ZodString extends ZodType {
cuid2(message) {
return this._addCheck({ kind: "cuid2", ...errorUtil_1.errorUtil.errToObj(message) });
}
ulid(message) {
return this._addCheck({ kind: "ulid", ...errorUtil_1.errorUtil.errToObj(message) });
}
ip(options) {
return this._addCheck({ kind: "ip", ...errorUtil_1.errorUtil.errToObj(options) });
}
@@ -42159,6 +42194,14 @@ class ZodString extends ZodType {
...errorUtil_1.errorUtil.errToObj(message),
});
}
includes(value, options) {
return this._addCheck({
kind: "includes",
value: value,
position: options === null || options === void 0 ? void 0 : options.position,
...errorUtil_1.errorUtil.errToObj(options === null || options === void 0 ? void 0 : options.message),
});
}
startsWith(value, message) {
return this._addCheck({
kind: "startsWith",
@@ -42215,6 +42258,9 @@ class ZodString extends ZodType {
get isCUID2() {
return !!this._def.checks.find((ch) => ch.kind === "cuid2");
}
get isULID() {
return !!this._def.checks.find((ch) => ch.kind === "ulid");
}
get isIP() {
return !!this._def.checks.find((ch) => ch.kind === "ip");
}
@@ -42249,7 +42295,6 @@ ZodString.create = (params) => {
...processCreateParams(params),
});
};
// https://stackoverflow.com/questions/3966484/why-does-modulus-operator-return-fractional-number-in-javascript/31711034#31711034
function floatSafeRemainder(val, step) {
const valDecCount = (val.toString().split(".")[1] || "").length;
const stepDecCount = (step.toString().split(".")[1] || "").length;
@@ -42885,7 +42930,6 @@ ZodNull.create = (params) => {
class ZodAny extends ZodType {
constructor() {
super(...arguments);
// to prevent instances of other classes from extending ZodAny. this causes issues with catchall in ZodObject.
this._any = true;
}
_parse(input) {
@@ -42902,7 +42946,6 @@ ZodAny.create = (params) => {
class ZodUnknown extends ZodType {
constructor() {
super(...arguments);
// required
this._unknown = true;
}
_parse(input) {
@@ -43058,22 +43101,6 @@ ZodArray.create = (schema, params) => {
...processCreateParams(params),
});
};
/////////////////////////////////////////
/////////////////////////////////////////
////////// //////////
////////// ZodObject //////////
////////// //////////
/////////////////////////////////////////
/////////////////////////////////////////
var objectUtil;
(function (objectUtil) {
objectUtil.mergeShapes = (first, second) => {
return {
...first,
...second, // second overwrites first
};
};
})(objectUtil = exports.objectUtil || (exports.objectUtil = {}));
function deepPartialify(schema) {
if (schema instanceof ZodObject) {
const newShape = {};
@@ -43087,7 +43114,10 @@ function deepPartialify(schema) {
});
}
else if (schema instanceof ZodArray) {
return ZodArray.create(deepPartialify(schema.element));
return new ZodArray({
...schema._def,
type: deepPartialify(schema.element),
});
}
else if (schema instanceof ZodOptional) {
return ZodOptional.create(deepPartialify(schema.unwrap()));
@@ -43106,47 +43136,7 @@ class ZodObject extends ZodType {
constructor() {
super(...arguments);
this._cached = null;
/**
* @deprecated In most cases, this is no longer needed - unknown properties are now silently stripped.
* If you want to pass through unknown properties, use `.passthrough()` instead.
*/
this.nonstrict = this.passthrough;
// extend<
// Augmentation extends ZodRawShape,
// NewOutput extends util.flatten<{
// [k in keyof Augmentation | keyof Output]: k extends keyof Augmentation
// ? Augmentation[k]["_output"]
// : k extends keyof Output
// ? Output[k]
// : never;
// }>,
// NewInput extends util.flatten<{
// [k in keyof Augmentation | keyof Input]: k extends keyof Augmentation
// ? Augmentation[k]["_input"]
// : k extends keyof Input
// ? Input[k]
// : never;
// }>
// >(
// augmentation: Augmentation
// ): ZodObject<
// extendShape<T, Augmentation>,
// UnknownKeys,
// Catchall,
// NewOutput,
// NewInput
// > {
// return new ZodObject({
// ...this._def,
// shape: () => ({
// ...this._def.shape(),
// ...augmentation,
// }),
// }) as any;
// }
/**
* @deprecated Use `.extend` instead
* */
this.augment = this.extend;
}
_getCached() {
@@ -43214,14 +43204,12 @@ class ZodObject extends ZodType {
}
}
else {
// run catchall validation
const catchall = this._def.catchall;
for (const key of extraKeys) {
const value = ctx.data[key];
pairs.push({
key: { status: "valid", value: key },
value: catchall._parse(new ParseInputLazyPath(ctx, value, ctx.path, key) //, ctx.child(key), value, getParsedType(value)
),
value: catchall._parse(new ParseInputLazyPath(ctx, value, ctx.path, key)),
alwaysSet: key in ctx.data,
});
}
@@ -43285,23 +43273,6 @@ class ZodObject extends ZodType {
unknownKeys: "passthrough",
});
}
// const AugmentFactory =
// <Def extends ZodObjectDef>(def: Def) =>
// <Augmentation extends ZodRawShape>(
// augmentation: Augmentation
// ): ZodObject<
// extendShape<ReturnType<Def["shape"]>, Augmentation>,
// Def["unknownKeys"],
// Def["catchall"]
// > => {
// return new ZodObject({
// ...def,
// shape: () => ({
// ...def.shape(),
// ...augmentation,
// }),
// }) as any;
// };
extend(augmentation) {
return new ZodObject({
...this._def,
@@ -43311,79 +43282,21 @@ class ZodObject extends ZodType {
}),
});
}
/**
* Prior to zod@1.0.12 there was a bug in the
* inferred type of merged objects. Please
* upgrade if you are experiencing issues.
*/
merge(merging) {
const merged = new ZodObject({
unknownKeys: merging._def.unknownKeys,
catchall: merging._def.catchall,
shape: () => objectUtil.mergeShapes(this._def.shape(), merging._def.shape()),
shape: () => ({
...this._def.shape(),
...merging._def.shape(),
}),
typeName: ZodFirstPartyTypeKind.ZodObject,
});
return merged;
}
// merge<
// Incoming extends AnyZodObject,
// Augmentation extends Incoming["shape"],
// NewOutput extends {
// [k in keyof Augmentation | keyof Output]: k extends keyof Augmentation
// ? Augmentation[k]["_output"]
// : k extends keyof Output
// ? Output[k]
// : never;
// },
// NewInput extends {
// [k in keyof Augmentation | keyof Input]: k extends keyof Augmentation
// ? Augmentation[k]["_input"]
// : k extends keyof Input
// ? Input[k]
// : never;
// }
// >(
// merging: Incoming
// ): ZodObject<
// extendShape<T, ReturnType<Incoming["_def"]["shape"]>>,
// Incoming["_def"]["unknownKeys"],
// Incoming["_def"]["catchall"],
// NewOutput,
// NewInput
// > {
// const merged: any = new ZodObject({
// unknownKeys: merging._def.unknownKeys,
// catchall: merging._def.catchall,
// shape: () =>
// objectUtil.mergeShapes(this._def.shape(), merging._def.shape()),
// typeName: ZodFirstPartyTypeKind.ZodObject,
// }) as any;
// return merged;
// }
setKey(key, schema) {
return this.augment({ [key]: schema });
}
// merge<Incoming extends AnyZodObject>(
// merging: Incoming
// ): //ZodObject<T & Incoming["_shape"], UnknownKeys, Catchall> = (merging) => {
// ZodObject<
// extendShape<T, ReturnType<Incoming["_def"]["shape"]>>,
// Incoming["_def"]["unknownKeys"],
// Incoming["_def"]["catchall"]
// > {
// // const mergedShape = objectUtil.mergeShapes(
// // this._def.shape(),
// // merging._def.shape()
// // );
// const merged: any = new ZodObject({
// unknownKeys: merging._def.unknownKeys,
// catchall: merging._def.catchall,
// shape: () =>
// objectUtil.mergeShapes(this._def.shape(), merging._def.shape()),
// typeName: ZodFirstPartyTypeKind.ZodObject,
// }) as any;
// return merged;
// }
catchall(index) {
return new ZodObject({
...this._def,
@@ -43414,9 +43327,6 @@ class ZodObject extends ZodType {
shape: () => shape,
});
}
/**
* @deprecated
*/
deepPartial() {
return deepPartialify(this);
}
@@ -43493,7 +43403,6 @@ class ZodUnion extends ZodType {
const { ctx } = this._processInputParams(input);
const options = this._def.options;
function handleResults(results) {
// return first issue-free validation if it exists
for (const result of results) {
if (result.result.status === "valid") {
return result.result;
@@ -43501,12 +43410,10 @@ class ZodUnion extends ZodType {
}
for (const result of results) {
if (result.result.status === "dirty") {
// add issues from dirty option
ctx.common.issues.push(...result.ctx.common.issues);
return result.result;
}
}
// return invalid
const unionErrors = results.map((result) => new ZodError_1.ZodError(result.ctx.common.issues));
(0, parseUtil_1.addIssueToContext)(ctx, {
code: ZodError_1.ZodIssueCode.invalid_union,
@@ -43585,13 +43492,6 @@ ZodUnion.create = (types, params) => {
...processCreateParams(params),
});
};
/////////////////////////////////////////////////////
/////////////////////////////////////////////////////
////////// //////////
////////// ZodDiscriminatedUnion //////////
////////// //////////
/////////////////////////////////////////////////////
/////////////////////////////////////////////////////
const getDiscriminator = (type) => {
if (type instanceof ZodLazy) {
return getDiscriminator(type.schema);
@@ -43606,7 +43506,6 @@ const getDiscriminator = (type) => {
return type.options;
}
else if (type instanceof ZodNativeEnum) {
// eslint-disable-next-line ban/ban
return Object.keys(type.enum);
}
else if (type instanceof ZodDefault) {
@@ -43668,18 +43567,8 @@ class ZodDiscriminatedUnion extends ZodType {
get optionsMap() {
return this._def.optionsMap;
}
/**
* The constructor of the discriminated union schema. Its behaviour is very similar to that of the normal z.union() constructor.
* However, it only allows a union of objects, all of which need to share a discriminator property. This property must
* have a different value for each object in the union.
* @param discriminator the name of the discriminator property
* @param types an array of object schemas
* @param params
*/
static create(discriminator, options, params) {
// Get all the valid discriminator values
const optionsMap = new Map();
// try {
for (const type of options) {
const discriminatorValues = getDiscriminator(type.shape[discriminator]);
if (!discriminatorValues) {
@@ -43842,7 +43731,7 @@ class ZodTuple extends ZodType {
return null;
return schema._parse(new ParseInputLazyPath(ctx, item, ctx.path, itemIndex));
})
.filter((x) => !!x); // filter nulls
.filter((x) => !!x);
if (ctx.common.async) {
return Promise.all(items).then((results) => {
return parseUtil_1.ParseStatus.mergeArray(status, results);
@@ -44423,9 +44312,7 @@ class ZodEffects extends ZodType {
};
checkCtx.addIssue = checkCtx.addIssue.bind(checkCtx);
if (effect.type === "refinement") {
const executeRefinement = (acc
// effect: RefinementEffect<any>
) => {
const executeRefinement = (acc) => {
const result = effect.refinement(acc, checkCtx);
if (ctx.common.async) {
return Promise.resolve(result);
@@ -44445,7 +44332,6 @@ class ZodEffects extends ZodType {
return parseUtil_1.INVALID;
if (inner.status === "dirty")
status.dirty();
// return value is ignored
executeRefinement(inner.value);
return { status: status.value, value: inner.value };
}
@@ -44470,10 +44356,6 @@ class ZodEffects extends ZodType {
path: ctx.path,
parent: ctx,
});
// if (base.status === "aborted") return INVALID;
// if (base.status === "dirty") {
// return { status: "dirty", value: base.value };
// }
if (!(0, parseUtil_1.isValid)(base))
return base;
const result = effect.transform(base.value, checkCtx);
@@ -44488,10 +44370,6 @@ class ZodEffects extends ZodType {
.then((base) => {
if (!(0, parseUtil_1.isValid)(base))
return base;
// if (base.status === "aborted") return INVALID;
// if (base.status === "dirty") {
// return { status: "dirty", value: base.value };
// }
return Promise.resolve(effect.transform(base.value, checkCtx)).then((result) => ({ status: status.value, value: result }));
});
}
@@ -44588,7 +44466,6 @@ ZodDefault.create = (type, params) => {
class ZodCatch extends ZodType {
_parse(input) {
const { ctx } = this._processInputParams(input);
// newCtx is used to not collect issues from inner types in ctx
const newCtx = {
...ctx,
common: {
@@ -44613,6 +44490,7 @@ class ZodCatch extends ZodType {
get error() {
return new ZodError_1.ZodError(newCtx.common.issues);
},
input: newCtx.data,
}),
};
});
@@ -44626,6 +44504,7 @@ class ZodCatch extends ZodType {
get error() {
return new ZodError_1.ZodError(newCtx.common.issues);
},
input: newCtx.data,
}),
};
}
@@ -44740,14 +44619,16 @@ class ZodPipeline extends ZodType {
}
}
exports.ZodPipeline = ZodPipeline;
const custom = (check, params = {},
/* @deprecated */
fatal) => {
const custom = (check, params = {}, fatal) => {
if (check)
return ZodAny.create().superRefine((data, ctx) => {
var _a, _b;
if (!check(data)) {
const p = typeof params === "function" ? params(data) : params;
const p = typeof params === "function"
? params(data)
: typeof params === "string"
? { message: params }
: params;
const _fatal = (_b = (_a = p.fatal) !== null && _a !== void 0 ? _a : fatal) !== null && _b !== void 0 ? _b : true;
const p2 = typeof p === "string" ? { message: p } : p;
ctx.addIssue({ code: "custom", ...p2, fatal: _fatal });
@@ -44797,14 +44678,10 @@ var ZodFirstPartyTypeKind;
ZodFirstPartyTypeKind["ZodBranded"] = "ZodBranded";
ZodFirstPartyTypeKind["ZodPipeline"] = "ZodPipeline";
})(ZodFirstPartyTypeKind = exports.ZodFirstPartyTypeKind || (exports.ZodFirstPartyTypeKind = {}));
// new approach that works for abstract classes
// but requires TS 4.4+
class Class {
constructor(..._) { }
}
const instanceOfType = (
// const instanceOfType = <T extends new (...args: any[]) => any>(
cls, params = {
const instanceOfType = (cls, params = {
message: `Input not instance of ${cls.name}`,
}) => (0, exports.custom)((data) => data instanceof cls, params);
exports["instanceof"] = instanceOfType;
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+213 -514
View File
File diff suppressed because it is too large Load Diff
+10 -10
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.0.3",
"version": "3.0.4",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -31,31 +31,31 @@
"@octokit/request-error": "^2.1.0",
"ansi-styles": "^6.2.1",
"got": "^12.6.0",
"nodemon": "^2.0.21",
"nodemon": "^2.0.22",
"octokit": "^2.0.14",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.2.1",
"zod": "^3.21.0"
"zod": "^3.21.4"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.14",
"@types/node": "^16.18.23",
"@typescript-eslint/eslint-plugin": "^5.48.1",
"@typescript-eslint/parser": "^5.48.0",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^5.54.0",
"@typescript-eslint/parser": "^5.53.0",
"@typescript-eslint/eslint-plugin": "^5.57.0",
"@typescript-eslint/parser": "^5.57.0",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.35.0",
"eslint-plugin-github": "^4.6.1",
"eslint": "^8.37.0",
"eslint-plugin-github": "^4.7.0",
"eslint-plugin-jest": "^27.2.1",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.21",
"prettier": "2.8.4",
"nodemon": "^2.0.22",
"prettier": "2.8.7",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
}