Compare commits

...

139 Commits

Author SHA1 Message Date
Federico Builes 123b58703a bumping to 3.0.6 2023-05-31 17:10:00 +02:00
Federico Builes cd559bc984 adding dist 2023-05-31 17:09:53 +02:00
Federico Builes 70f8094bec adding a test for empty PURLs 2023-05-31 16:24:19 +02:00
Federico Builes 0b306aef97 Don't try to create PURLs from empty strings. 2023-05-31 16:14:02 +02:00
Federico Builes 554aaf5c3d Merge pull request #423 from theztefan/allow-list-dependencies
Exclude dependencies from license checks
2023-05-31 14:24:05 +02:00
Federico Builes c6e94c1336 External config files should use underscores, not dashes 2023-05-31 14:21:57 +02:00
Stefan Petrushevski 88d6af3d4a latest build 2023-05-31 12:54:16 +02:00
Stefan Petrushevski f1c8401a59 resolve merge conflicts 2023-05-30 18:04:26 +02:00
Stefan Petrushevski ef8ebf0eef rebuild 2023-05-30 17:33:40 +02:00
Federico Builes 1f7c838fcb Merge pull request #492 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.8
Bump @typescript-eslint/eslint-plugin from 5.59.6 to 5.59.8
2023-05-30 08:10:28 +02:00
dependabot[bot] 1ee07d8652 Bump @typescript-eslint/eslint-plugin from 5.59.6 to 5.59.8
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.6 to 5.59.8.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.8/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-30 05:32:06 +00:00
Federico Builes 861f696c44 Merge pull request #491 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.8
Bump @typescript-eslint/parser from 5.59.7 to 5.59.8
2023-05-30 07:31:16 +02:00
dependabot[bot] ce9db3928f Bump @typescript-eslint/parser from 5.59.7 to 5.59.8
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.7 to 5.59.8.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.8/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-30 05:25:32 +00:00
Federico Builes 854aa8a142 Merge pull request #485 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.7
Bump @typescript-eslint/parser from 5.59.6 to 5.59.7
2023-05-30 07:24:55 +02:00
Federico Builes 9fbf14f620 Merge pull request #484 from actions/dependabot/npm_and_yarn/types/node-16.18.34
Bump @types/node from 16.18.32 to 16.18.34
2023-05-30 07:24:43 +02:00
Federico Builes 64222d2efe Merge pull request #483 from actions/dependabot/npm_and_yarn/yaml-2.3.1
Bump yaml from 2.2.2 to 2.3.1
2023-05-30 07:24:34 +02:00
Federico Builes f2a3e1af33 updating dist 2023-05-30 07:23:40 +02:00
dependabot[bot] e3de7a00a8 Bump @typescript-eslint/parser from 5.59.6 to 5.59.7
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.6 to 5.59.7.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.7/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-29 02:01:45 +00:00
dependabot[bot] 627344199b Bump @types/node from 16.18.32 to 16.18.34
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.32 to 16.18.34.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-29 02:01:13 +00:00
dependabot[bot] 2406ed1539 Bump yaml from 2.2.2 to 2.3.1
Bumps [yaml](https://github.com/eemeli/yaml) from 2.2.2 to 2.3.1.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.2.2...v2.3.1)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-29 02:00:41 +00:00
Stefan 20f1bbadfc Update README.md
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-26 20:20:06 +02:00
Stefan 32e5b32ec4 Update docs/examples.md
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-26 20:19:52 +02:00
Federico Builes 4ee0db82cc Merge pull request #480 from actions/dependabot/npm_and_yarn/octokit-2.0.16
Bump octokit from 2.0.14 to 2.0.16
2023-05-22 07:35:59 +02:00
Federico Builes f303e9cd65 adding dist 2023-05-22 07:31:33 +02:00
Federico Builes fa8ddf1781 Merge pull request #482 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.6
Bump @typescript-eslint/parser from 5.59.2 to 5.59.6
2023-05-22 07:26:50 +02:00
dependabot[bot] 70422dcfbd Bump @typescript-eslint/parser from 5.59.2 to 5.59.6
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.2 to 5.59.6.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.6/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 05:25:44 +00:00
Federico Builes fe724aebb5 Merge pull request #481 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.6
Bump @typescript-eslint/eslint-plugin from 5.59.2 to 5.59.6
2023-05-22 07:25:14 +02:00
Federico Builes 6ab307aa49 Merge pull request #479 from actions/dependabot/npm_and_yarn/types/node-16.18.32
Bump @types/node from 16.18.26 to 16.18.32
2023-05-22 07:24:49 +02:00
Federico Builes 7b02d77054 Merge pull request #478 from actions/dependabot/npm_and_yarn/eslint-8.41.0
Bump eslint from 8.40.0 to 8.41.0
2023-05-22 07:24:40 +02:00
dependabot[bot] 98717099a1 Bump @typescript-eslint/eslint-plugin from 5.59.2 to 5.59.6
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.2 to 5.59.6.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.6/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 02:02:05 +00:00
dependabot[bot] b582a7ae96 Bump octokit from 2.0.14 to 2.0.16
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.14 to 2.0.16.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.14...v2.0.16)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 02:01:13 +00:00
dependabot[bot] 894a896fb1 Bump @types/node from 16.18.26 to 16.18.32
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.26 to 16.18.32.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 01:59:51 +00:00
dependabot[bot] eb565747bb Bump eslint from 8.40.0 to 8.41.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.40.0 to 8.41.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.40.0...v8.41.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 01:59:24 +00:00
Stefan Petrushevski 7b5fa84cfc added tests; docs and cleanup 2023-05-19 10:47:59 +02:00
Stefan 8ef2903f61 Update action.yml
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-17 09:45:02 +02:00
Stefan 16c0c13a8b Update README.md
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-17 09:44:49 +02:00
Stefan b36110c8a0 Update docs/examples.md
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-17 09:44:33 +02:00
Stefan Petrushevski 0574926a14 document; code style; 2023-05-16 16:50:04 +02:00
Federico Builes 57c07f037a Merge pull request #473 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.2
Bump @typescript-eslint/parser from 5.59.1 to 5.59.2
2023-05-08 06:16:13 +02:00
dependabot[bot] 8fba746b74 Bump @typescript-eslint/parser from 5.59.1 to 5.59.2
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.1 to 5.59.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.2/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-08 04:16:03 +00:00
Federico Builes 632eabaaf6 Merge pull request #474 from actions/dependabot/npm_and_yarn/eslint-8.40.0
Bump eslint from 8.39.0 to 8.40.0
2023-05-08 06:15:33 +02:00
Federico Builes d1f8348e2e Merge pull request #472 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.2
Bump @typescript-eslint/eslint-plugin from 5.59.1 to 5.59.2
2023-05-08 06:15:13 +02:00
Federico Builes 66da8857a8 Merge pull request #471 from actions/dependabot/npm_and_yarn/types/node-16.18.26
Bump @types/node from 16.18.25 to 16.18.26
2023-05-08 06:15:06 +02:00
dependabot[bot] 9fe22cbd4d Bump eslint from 8.39.0 to 8.40.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.39.0 to 8.40.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.39.0...v8.40.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-08 02:01:40 +00:00
dependabot[bot] 192b846247 Bump @typescript-eslint/eslint-plugin from 5.59.1 to 5.59.2
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.1 to 5.59.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.2/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-08 02:00:42 +00:00
dependabot[bot] faed3d989f Bump @types/node from 16.18.25 to 16.18.26
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.25 to 16.18.26.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-08 01:59:37 +00:00
Federico Builes 7d25be7d68 Merge pull request #467 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.1
Bump @typescript-eslint/eslint-plugin from 5.59.0 to 5.59.1
2023-05-01 13:47:42 +02:00
Federico Builes 57e6a1aeb8 Merge pull request #469 from actions/dependabot/npm_and_yarn/yaml-2.2.2
Bump yaml from 2.2.1 to 2.2.2
2023-05-01 13:47:23 +02:00
Federico Builes 8450611ed5 adding dist 2023-05-01 13:47:13 +02:00
dependabot[bot] adc7610fb4 Bump @typescript-eslint/eslint-plugin from 5.59.0 to 5.59.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.0 to 5.59.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-01 11:45:43 +00:00
dependabot[bot] b81c2dfce6 Bump yaml from 2.2.1 to 2.2.2
Bumps [yaml](https://github.com/eemeli/yaml) from 2.2.1 to 2.2.2.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.2.1...v2.2.2)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-01 11:45:32 +00:00
Federico Builes 70370c1727 Merge pull request #468 from actions/dependabot/npm_and_yarn/types/node-16.18.25
Bump @types/node from 16.18.24 to 16.18.25
2023-05-01 13:44:58 +02:00
Federico Builes 1e46123a48 Merge pull request #466 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.1
Bump @typescript-eslint/parser from 5.59.0 to 5.59.1
2023-05-01 13:44:30 +02:00
dependabot[bot] de626ab5bc Bump @types/node from 16.18.24 to 16.18.25
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.24 to 16.18.25.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-01 02:03:23 +00:00
dependabot[bot] 5907e06ae4 Bump @typescript-eslint/parser from 5.59.0 to 5.59.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.0 to 5.59.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-01 02:01:40 +00:00
Federico Builes 9bc0593cb7 Merge pull request #462 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.0
Bump @typescript-eslint/eslint-plugin from 5.57.1 to 5.59.0
2023-04-24 13:32:54 +02:00
dependabot[bot] 7070612acc Bump @typescript-eslint/eslint-plugin from 5.57.1 to 5.59.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.57.1 to 5.59.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 11:31:30 +00:00
Federico Builes f6e0fab375 Merge pull request #465 from actions/dependabot/npm_and_yarn/prettier-2.8.8
Bump prettier from 2.8.7 to 2.8.8
2023-04-24 13:31:03 +02:00
Federico Builes 51fa253565 Merge pull request #464 from actions/dependabot/npm_and_yarn/eslint-8.39.0
Bump eslint from 8.38.0 to 8.39.0
2023-04-24 13:30:54 +02:00
Federico Builes 2dffe8e22c Merge pull request #463 from actions/dependabot/npm_and_yarn/types/node-16.18.24
Bump @types/node from 16.18.23 to 16.18.24
2023-04-24 13:30:43 +02:00
Federico Builes e263d60b8b Merge pull request #461 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.0
Bump @typescript-eslint/parser from 5.57.1 to 5.59.0
2023-04-24 13:30:07 +02:00
dependabot[bot] bf512683a2 Bump prettier from 2.8.7 to 2.8.8
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.7 to 2.8.8.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.7...2.8.8)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 02:01:16 +00:00
dependabot[bot] 6c9f94c4e5 Bump eslint from 8.38.0 to 8.39.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.38.0 to 8.39.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.38.0...v8.39.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 02:01:05 +00:00
dependabot[bot] 8321ca9367 Bump @types/node from 16.18.23 to 16.18.24
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.23 to 16.18.24.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 02:00:45 +00:00
dependabot[bot] 00ef46c947 Bump @typescript-eslint/parser from 5.57.1 to 5.59.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.57.1 to 5.59.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 01:59:58 +00:00
Federico Builes b206cbf92e Merge pull request #453 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.57.1
Bump @typescript-eslint/eslint-plugin from 5.57.0 to 5.57.1
2023-04-10 07:48:03 +02:00
dependabot[bot] d482d746c3 Bump @typescript-eslint/eslint-plugin from 5.57.0 to 5.57.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.57.0 to 5.57.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.57.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-10 05:47:39 +00:00
Federico Builes 041e4f1437 Merge pull request #454 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.57.1
Bump @typescript-eslint/parser from 5.57.0 to 5.57.1
2023-04-10 07:47:09 +02:00
Federico Builes c883e5a202 Merge pull request #455 from actions/dependabot/npm_and_yarn/eslint-8.38.0
Bump eslint from 8.37.0 to 8.38.0
2023-04-10 07:46:57 +02:00
Federico Builes 8938bd9ef0 Merge pull request #451 from actions/fix-external-config
Fix default values for fail-on-severity
2023-04-10 07:41:00 +02:00
dependabot[bot] 35a369d1cd Bump eslint from 8.37.0 to 8.38.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.37.0 to 8.38.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.37.0...v8.38.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-10 02:03:04 +00:00
dependabot[bot] 0a9f43e15a Bump @typescript-eslint/parser from 5.57.0 to 5.57.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.57.0 to 5.57.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.57.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-10 02:02:19 +00:00
Justin Holguín e0ec35dfb0 Merge pull request #439 from actions/juxtin/snapshot-warnings
Show snapshot warnings in the summary
2023-04-06 13:27:46 -07:00
Federico Builes 73625ad716 Merge branch 'allow-list-dependencies' of github.com:theztefan/dependency-review-action into allow-list-dependencies 2023-04-06 22:01:49 +02:00
Federico Builes 654eb5ca1c Updating README.md 2023-04-06 21:42:26 +02:00
Federico Builes 9885d0c74c Remove default values in action.yml 2023-04-06 21:33:35 +02:00
Federico Builes cebb5b1214 Don't use underscore for inline configs. 2023-04-06 21:33:24 +02:00
Federico Builes 50b918791f Update README. 2023-04-06 17:59:34 +02:00
Federico Builes 3f6a17c81c Update examples to use underscores instead of dashes. 2023-04-06 17:58:58 +02:00
Federico Builes 2c065db296 Add a test-helpers file. 2023-04-06 17:32:42 +02:00
Federico Builes ff46a4b16e Fixing failing test. 2023-04-06 17:11:29 +02:00
Federico Builes 153f274eb4 Mock octokit. 2023-04-06 17:11:16 +02:00
Federico Builes 0041d7fa41 Add a failing test. 2023-04-06 16:21:52 +02:00
Stefan Petrushevski 1896d6f936 Clean up; updated docs 2023-04-06 10:49:30 +02:00
Stefan Petrushevski 39dca1ce09 Adjusted output 2023-04-06 10:04:48 +02:00
Stefan Petrushevski d3fdbc93c5 Build and updated README 2023-04-06 09:58:14 +02:00
Stefan Petrushevski 9ad7edb033 switched to purl format 2023-04-06 09:37:42 +02:00
Federico Builes 97c9465751 separate tests for external configs 2023-04-05 15:14:57 +02:00
Federico Builes 8b0d4b3327 Merge pull request #446 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.57.0
Bump @typescript-eslint/eslint-plugin from 5.56.0 to 5.57.0
2023-04-03 11:05:13 +02:00
Federico Builes 8c24360582 Merge pull request #448 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.7.0
Bump eslint-plugin-github from 4.6.1 to 4.7.0
2023-04-03 11:04:36 +02:00
dependabot[bot] 80be5a7079 Bump @typescript-eslint/eslint-plugin from 5.56.0 to 5.57.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.56.0 to 5.57.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.57.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 05:10:30 +00:00
dependabot[bot] 35bd59fb9e Bump eslint-plugin-github from 4.6.1 to 4.7.0
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.6.1 to 4.7.0.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.6.1...v4.7.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 05:09:05 +00:00
Federico Builes b7ce9d546d Merge pull request #447 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.57.0
Bump @typescript-eslint/parser from 5.56.0 to 5.57.0
2023-04-03 07:02:10 +02:00
Federico Builes 5875c70f8f Merge pull request #449 from actions/dependabot/npm_and_yarn/types/node-16.18.23
Bump @types/node from 16.18.21 to 16.18.23
2023-04-03 07:01:49 +02:00
Federico Builes 43274f6899 Merge pull request #450 from actions/dependabot/npm_and_yarn/eslint-8.37.0
Bump eslint from 8.36.0 to 8.37.0
2023-04-03 07:01:31 +02:00
dependabot[bot] 81d482fe7f Bump eslint from 8.36.0 to 8.37.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.36.0 to 8.37.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.36.0...v8.37.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 02:02:13 +00:00
dependabot[bot] 420f61c64a Bump @types/node from 16.18.21 to 16.18.23
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.21 to 16.18.23.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 02:01:46 +00:00
dependabot[bot] 866b422c9e Bump @typescript-eslint/parser from 5.56.0 to 5.57.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.56.0 to 5.57.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.57.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-03 02:00:49 +00:00
Justin Holguín 76b8e83d1a Use 'Unnamed Manifest' as catchall bucket 2023-03-28 16:06:07 +00:00
Federico Builes 91eae64e0c Merge pull request #442 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.56.0
Bump @typescript-eslint/eslint-plugin from 5.55.0 to 5.56.0
2023-03-27 07:57:20 +02:00
Federico Builes f5f2eae995 Merge pull request #441 from actions/dependabot/npm_and_yarn/nodemon-2.0.22
Bump nodemon from 2.0.21 to 2.0.22
2023-03-27 07:37:18 +02:00
dependabot[bot] 355bcf860e Bump @typescript-eslint/eslint-plugin from 5.55.0 to 5.56.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.55.0 to 5.56.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.56.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 05:32:56 +00:00
dependabot[bot] 5726b20f6c Bump nodemon from 2.0.21 to 2.0.22
Bumps [nodemon](https://github.com/remy/nodemon) from 2.0.21 to 2.0.22.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v2.0.21...v2.0.22)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 05:32:36 +00:00
Federico Builes 4d05b525ee Merge pull request #444 from actions/dependabot/npm_and_yarn/prettier-2.8.7
Bump prettier from 2.8.4 to 2.8.7
2023-03-27 07:32:04 +02:00
Federico Builes 81ee3a8dc8 Merge pull request #443 from actions/dependabot/npm_and_yarn/types/node-16.18.21
Bump @types/node from 16.18.16 to 16.18.21
2023-03-27 07:31:53 +02:00
Federico Builes 3b871daeea Merge pull request #440 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.56.0
Bump @typescript-eslint/parser from 5.55.0 to 5.56.0
2023-03-27 07:31:31 +02:00
dependabot[bot] 3f5b40d019 Bump prettier from 2.8.4 to 2.8.7
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.4 to 2.8.7.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.4...2.8.7)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 02:06:07 +00:00
dependabot[bot] 89b3ba9416 Bump @types/node from 16.18.16 to 16.18.21
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.16 to 16.18.21.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 02:05:34 +00:00
dependabot[bot] a44d7c538d Bump @typescript-eslint/parser from 5.55.0 to 5.56.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.55.0 to 5.56.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.56.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-27 02:01:38 +00:00
Justin Holguín 7e1f7be1f6 Handle dependencies with an empty manifest field
This happens sometimes with snapshots. We just want them to be displayed properly in the HTML output.
2023-03-24 19:07:22 +00:00
Justin Holguín 0c01e947d6 Flesh out the warnings section a tiny bit 2023-03-23 23:26:23 +00:00
Justin Holguín 782549c724 Ignore snapshot_warnings for missing head snapshots 2023-03-23 22:59:07 +00:00
Justin Holguín 419396de41 Show snapshot warnings in the summary 2023-03-22 21:30:12 +00:00
Federico Builes f46c48ed6d bumping version 2023-03-20 07:22:20 +01:00
Federico Builes 1ac6f5d754 Merge pull request #437 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.55.0
Bump @typescript-eslint/eslint-plugin from 5.54.1 to 5.55.0
2023-03-20 06:47:27 +01:00
dependabot[bot] 30049aaf02 Bump @typescript-eslint/eslint-plugin from 5.54.1 to 5.55.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.54.1 to 5.55.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.55.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-20 05:45:47 +00:00
Federico Builes 02b3fbad1c Merge pull request #436 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.55.0
Bump @typescript-eslint/parser from 5.54.1 to 5.55.0
2023-03-20 06:44:51 +01:00
Federico Builes 5c5feeb63d Merge pull request #435 from actions/dependabot/npm_and_yarn/types/node-16.18.16
Bump @types/node from 16.18.14 to 16.18.16
2023-03-20 06:44:19 +01:00
dependabot[bot] 85bb8372bf Bump @typescript-eslint/parser from 5.54.1 to 5.55.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.54.1 to 5.55.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.55.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-20 02:15:06 +00:00
dependabot[bot] 463aece43a Bump @types/node from 16.18.14 to 16.18.16
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.14 to 16.18.16.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-20 02:14:20 +00:00
Stefan Petrushevski e17845d155 README changes as per PR comments 2023-03-16 11:23:57 +01:00
Federico Builes e3fb5152be Merge pull request #426 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.54.1
Bump @typescript-eslint/eslint-plugin from 5.54.0 to 5.54.1
2023-03-13 09:29:06 +01:00
Federico Builes 4b088f072a Merge pull request #427 from actions/dependabot/npm_and_yarn/zod-3.21.4
Bump zod from 3.21.0 to 3.21.4
2023-03-13 09:28:51 +01:00
dependabot[bot] e46d65f438 Bump @typescript-eslint/eslint-plugin from 5.54.0 to 5.54.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.54.0 to 5.54.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.54.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 07:08:40 +00:00
Federico Builes 75222ed640 adding dist 2023-03-13 08:02:02 +01:00
Federico Builes f46bc4dbf8 Merge pull request #428 from actions/dependabot/npm_and_yarn/eslint-8.36.0
Bump eslint from 8.35.0 to 8.36.0
2023-03-13 08:00:22 +01:00
Federico Builes e0a5088fd6 Merge pull request #429 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.54.1
Bump @typescript-eslint/parser from 5.53.0 to 5.54.1
2023-03-13 08:00:01 +01:00
dependabot[bot] f1f8f2bf88 Bump @typescript-eslint/parser from 5.53.0 to 5.54.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.53.0 to 5.54.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.54.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 02:06:48 +00:00
dependabot[bot] 453f5e3690 Bump eslint from 8.35.0 to 8.36.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.35.0 to 8.36.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.35.0...v8.36.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 02:06:12 +00:00
dependabot[bot] 6a47644794 Bump zod from 3.21.0 to 3.21.4
Bumps [zod](https://github.com/colinhacks/zod) from 3.21.0 to 3.21.4.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.21.0...v3.21.4)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-13 02:05:51 +00:00
Stefan Petrushevski f0bda66bbf updated README 2023-03-08 15:44:01 +01:00
Stefan Petrushevski 1d7d9a2c93 new builds 2023-03-08 15:24:23 +01:00
Stefan Petrushevski d5c2f70a7f no inline config options due to limitations 2023-03-08 15:23:57 +01:00
Stefan Petrushevski f92376010c inline config options 2023-03-08 15:05:16 +01:00
Stefan Petrushevski c2303c3070 builds 2023-03-08 14:30:37 +01:00
Stefan Petrushevski 884b7abd2d updated summary output; create_summary.ts script 2023-03-08 13:02:59 +01:00
Stefan Petrushevski 600458c5dd licenses check exclusion list 2023-03-08 12:38:34 +01:00
Federico Builes d11e757f70 No support for custom branches note in README. 2023-03-06 09:13:40 +01:00
Federico Builes 63e5e62dba Merge pull request #416 from davelosert/adjust_summary_format
Adjust summary format
2023-03-06 09:10:58 +01:00
23 changed files with 5929 additions and 9434 deletions
+20 -16
View File
@@ -1,7 +1,7 @@
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
@@ -66,19 +66,20 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| Option | Usage | Possible values | Default value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
*not supported for use with GitHub Enterprise Server
\*not supported for use with GitHub Enterprise Server
†will be supported with GitHub Enterprise Server 3.8
@@ -128,16 +129,19 @@ Start by specifying that you will be using an external configuration file:
config-file: './.github/dependency-review-config.yml'
```
And then create the file in the path you just specified:
And then create the file in the path you just specified. Please note
that the **option names in external files use underscores instead of dashes**:
```yaml
fail-on-severity: 'critical'
allow-licenses:
fail_on_severity: 'critical'
allow_licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
### Considerations
- Checking for licenses is not supported on Enterprise Server.
+1 -93
View File
@@ -2,35 +2,7 @@ import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {getRefs} from '../src/git-refs'
import * as Utils from '../src/utils'
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
function setInput(input: string, value: string): void {
process.env[`INPUT_${input.toUpperCase()}`] = value
}
// We want a clean ENV before each test. We use `delete`
// since we want `undefined` values and not empty strings.
function clearInputs(): void {
const allowedOptions = [
'FAIL-ON-SEVERITY',
'FAIL-ON-SCOPES',
'ALLOW-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'LICENSE-CHECK',
'VULNERABILITY-CHECK',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
]
// eslint-disable-next-line github/array-foreach
allowedOptions.forEach(option => {
delete process.env[`INPUT_${option.toUpperCase()}`]
})
}
import {setInput, clearInputs} from './test-helpers'
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
@@ -105,60 +77,6 @@ test('it raises an error when no refs are provided and the event is not a pull r
).toThrow()
})
test('it reads an external config file', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('raises an error when the config file was not found', async () => {
setInput('config-file', 'fixtures/i-dont-exist')
await expect(readConfig()).rejects.toThrow(/Unable to fetch/)
})
test('it parses options from both sources', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
let config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
setInput('base-ref', 'a-custom-base-ref')
config = await readConfig()
expect(config.base_ref).toEqual('a-custom-base-ref')
})
test('in case of conflicts, the inline config is the source of truth', async () => {
setInput('fail-on-severity', 'low')
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml') // this will set fail-on-severity to 'critical'
const config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it uses the default values when loading external files', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
let config = await readConfig()
expect(config.allow_licenses).toEqual(undefined)
expect(config.deny_licenses).toEqual(undefined)
setInput('config-file', './__tests__/fixtures/license-config-sample.yml')
config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it accepts an external configuration filename', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
})
test('it raises an error when given an unknown severity in an external config file', async () => {
setInput('config-file', './__tests__/fixtures/invalid-severity-config.yml')
await expect(readConfig()).rejects.toThrow()
})
test('it defaults to runtime scope', async () => {
const config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime'])
@@ -234,16 +152,6 @@ test('it is not possible to disable both checks', async () => {
)
})
test('it supports comma-separated lists', async () => {
setInput(
'config-file',
'./__tests__/fixtures/inline-license-config-sample.yml'
)
const config = await readConfig()
expect(config.allow_licenses).toEqual(['MIT', 'GPL-2.0-only'])
})
describe('licenses that are not valid SPDX licenses', () => {
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
+111
View File
@@ -0,0 +1,111 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import * as Utils from '../src/utils'
import {setInput, clearInputs} from './test-helpers'
const externalConfig = `fail_on_severity: 'high'
allow_licenses: ['GPL-2.0-only']
`
const mockOctokit = {
rest: {
repos: {
getContent: jest.fn().mockReturnValue({data: externalConfig})
}
}
}
jest.mock('octokit', () => {
return {
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
Octokit: class {
constructor() {
return mockOctokit
}
}
}
})
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})
beforeEach(() => {
clearInputs()
})
test('it reads an external config file', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('raises an error when the config file was not found', async () => {
setInput('config-file', 'fixtures/i-dont-exist')
await expect(readConfig()).rejects.toThrow(/Unable to fetch/)
})
test('it parses options from both sources', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
let config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
setInput('base-ref', 'a-custom-base-ref')
config = await readConfig()
expect(config.base_ref).toEqual('a-custom-base-ref')
})
test('in case of conflicts, the inline config is the source of truth', async () => {
setInput('fail-on-severity', 'low')
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml') // this will set fail-on-severity to 'critical'
const config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it uses the default values when loading external files', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
let config = await readConfig()
expect(config.allow_licenses).toEqual(undefined)
expect(config.deny_licenses).toEqual(undefined)
setInput('config-file', './__tests__/fixtures/license-config-sample.yml')
config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it accepts an external configuration filename', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
})
test('it raises an error when given an unknown severity in an external config file', async () => {
setInput('config-file', './__tests__/fixtures/invalid-severity-config.yml')
await expect(readConfig()).rejects.toThrow()
})
test('it supports comma-separated lists', async () => {
setInput(
'config-file',
'./__tests__/fixtures/inline-license-config-sample.yml'
)
const config = await readConfig()
expect(config.allow_licenses).toEqual(['MIT', 'GPL-2.0-only'])
})
test('it reads a config file hosted in another repo', async () => {
setInput(
'config-file',
'future-funk/anyone-cualkiera/external-config.yml@main'
)
setInput('external-repo-token', 'gh_viptoken')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('high')
expect(config.allow_licenses).toEqual(['GPL-2.0-only'])
})
@@ -1 +1 @@
allow-licenses: MIT, GPL-2.0-only
allow-licenses: "MIT, GPL-2.0-only"
@@ -1,3 +1,3 @@
fail-on-severity: 'so many zombies'
deny-licenses:
fail_on_severity: 'so many zombies'
deny_licenses:
- MIT
+71
View File
@@ -49,6 +49,32 @@ const rubyChange: Change = {
]
}
const pipChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
jest.mock('@actions/core')
const mockOctokit = {
@@ -153,6 +179,51 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
expect(invalidLicenses.unresolved.length).toEqual(2)
})
test('it does not filter out changes that are on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)
expect(invalidLicenses.forbidden.length).toEqual(0)
})
test('it does not fail when the packages dont have a valid PURL', async () => {
const emptyPurlChange = pipChange
emptyPurlChange.package_url = ''
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)
expect(invalidLicenses.forbidden.length).toEqual(1)
})
test('it does filters out changes if they are not on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/notmypackage-1@1.1.1', 'pkg:npm/alsonot@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)
expect(invalidLicenses.forbidden.length).toEqual(2)
expect(invalidLicenses.forbidden[0]).toBe(pipChange)
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
})
describe('GH License API fallback', () => {
test('it calls licenses endpoint if atleast one of the changes has null license and valid source_repository_url', async () => {
const nullLicenseChange = {
+55
View File
@@ -27,6 +27,45 @@ const defaultConfig: ConfigurationOptions = {
comment_summary_in_pr: true
}
const changesWithEmptyManifests: Changes = [
{
change_type: 'added',
manifest: '',
ecosystem: 'unknown',
name: 'castore',
version: '0.1.17',
package_url: 'pkg:hex/castore@0.1.17',
license: null,
source_repository_url: null,
scope: 'runtime',
vulnerabilities: []
},
{
change_type: 'added',
manifest: '',
ecosystem: 'unknown',
name: 'connection',
version: '1.1.0',
package_url: 'pkg:hex/connection@1.1.0',
license: null,
source_repository_url: null,
scope: 'runtime',
vulnerabilities: []
},
{
change_type: 'added',
manifest: 'python/dist-info/METADATA',
ecosystem: 'pip',
name: 'pygments',
version: '2.6.1',
package_url: 'pkg:pypi/pygments@2.6.1',
license: 'BSD-2-Clause',
source_repository_url: 'https://github.com/pygments/pygments',
scope: 'runtime',
vulnerabilities: []
}
]
test('prints headline as h1', () => {
summary.addSummaryToSummary(
emptyChanges,
@@ -65,6 +104,22 @@ test('only includes "No license issues found"-message if "vulnerability_check" i
expect(text).toContain('✅ No license issues found.')
})
test('groups dependencies with empty manifest paths together', () => {
summary.addSummaryToSummary(
changesWithEmptyManifests,
emptyInvalidLicenseChanges,
defaultConfig
)
summary.addScannedDependencies(changesWithEmptyManifests)
const text = core.summary.stringify()
expect(text).toContain('<summary>Unnamed Manifest</summary>')
expect(text).toContain('castore')
expect(text).toContain('connection')
expect(text).toContain('<summary>python/dist-info/METADATA</summary>')
expect(text).toContain('pygments')
})
test('does not include status section if nothing was found', () => {
summary.addSummaryToSummary(
emptyChanges,
+28
View File
@@ -0,0 +1,28 @@
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
export function setInput(input: string, value: string): void {
process.env[`INPUT_${input.toUpperCase()}`] = value
}
// We want a clean ENV before each test. We use `delete`
// since we want `undefined` values and not empty strings.
export function clearInputs(): void {
const allowedOptions = [
'FAIL-ON-SEVERITY',
'FAIL-ON-SCOPES',
'ALLOW-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'LICENSE-CHECK',
'VULNERABILITY-CHECK',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
]
// eslint-disable-next-line github/array-foreach
allowedOptions.forEach(option => {
delete process.env[`INPUT_${option.toUpperCase()}`]
})
}
+5 -2
View File
@@ -1,3 +1,5 @@
# Avoid using default values for options here since they will
# end up overriding external configurations.
name: 'Dependency Review'
description: 'Prevent the introduction of dependencies with known vulnerabilities'
author: 'GitHub'
@@ -9,11 +11,9 @@ inputs:
fail-on-severity:
description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
required: false
default: 'low'
fail-on-scopes:
description: Dependency scopes to block PRs on. Comma-separated list. Possible values are 'unknown', 'runtime', and 'development' (e.g. "runtime, development")
required: false
default: 'runtime'
base-ref:
description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
required: false
@@ -29,6 +29,9 @@ inputs:
deny-licenses:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-dependencies-licenses:
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
required: false
allow-ghsas:
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
required: false
Generated Vendored
+4813 -2073
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+22
View File
@@ -1340,6 +1340,28 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
packageurl-js
MIT
Copyright (c) the purl authors
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
safe-buffer
MIT
The MIT License (MIT)
+232
View File
@@ -0,0 +1,232 @@
# Examples on how to use the Dependancy Review Action
## Basic Usage
A very basic example of how to use the action. This will run the action with the default configuration.
The full list of configuration options can be found [here](../README.md#configuration-options).
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
```
## Using an inline configuration
The following example will fail the action if any vulnerabilities are found with a severity of medium or higher; and if any packages are found with an incompatible license - in this case, the LGPL-2.0 and BSD-2-Clause licenses.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
```
## Using a configuration file
The following example will use a configuration file to configure the action. This is useful if you want to keep your configuration in a single place and makes it easier to manage as the configuration grows.
The configuration file can be located in the same repository or in a separate repository. Having it in a separate repository might be useful if you plan to use the same configuration across multiple repositories and control it centrally.
In this example, the configuration file is located in the same repository under `.github/dependency-review-config.yml`. The following configuration will fail the action if any vulnerabilities are found with a severity of critical; and if any packages are found with an incompatible license - in this case, the LGPL-2.0 and BSD-2-Clause licenses.
```yaml
fail_on_severity: 'critical'
allow_licenses:
- 'LGPL-2.0'
- 'BSD-2-Clause'
```
The Dependancy Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: './.github/dependency-review-config.yml'
```
## Using a configuration file from a external repository
The following example will use a configuration file from an external public GitHub repository to configure the action.
Let's say that the configuration file is located in `github/octorepo/dependency-review-config.yml@main`
The Dependancy Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
```
## Using a configuration file from a external repository with a personal access token
The following example will use a configuration file from an external private GtiHub repository to configure the action.
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
The Dependancy Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'github/octorepo-private/dependency-review-config.yml@main'
config-file-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
```
## Getting the results of the action in the PR as a comment
Using the `comment-summary-in-pr` you can get the results of the action in the PR as a comment. In order for this to work, the action needs to be able to create a comment in the PR. This requires additional `pull-requests: write` permission.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: true
```
## Exclude dependencies from the license check
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.
In this example, we are excluding `lodash` from `npm` and `requests` from `pip` dependencies from the license check
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: true
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests'
```
If we were to use configuration file, the configuration would look like this:
```yaml
fail-on-severity: 'critical'
allow-licenses:
- 'LGPL-2.0'
- 'BSD-2-Clause'
allow-dependencies-licenses:
- 'pkg:npm/loadash'
- 'pkg:pip/requests'
```
## Only check for vulnerabilities
To only do the vulnerability check you can use the `license-check` to disable the license compatibility check (which is done by default).
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
comment-summary-in-pr: true
license-check: false
```
+414 -7225
View File
File diff suppressed because it is too large Load Diff
+13 -12
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.0.3",
"version": "3.0.6",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -31,31 +31,32 @@
"@octokit/request-error": "^2.1.0",
"ansi-styles": "^6.2.1",
"got": "^12.6.0",
"nodemon": "^2.0.21",
"octokit": "^2.0.14",
"nodemon": "^2.0.22",
"octokit": "^2.0.16",
"packageurl-js": "^1.0.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.2.1",
"zod": "^3.21.0"
"yaml": "^2.3.1",
"zod": "^3.21.4"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.14",
"@types/node": "^16.18.34",
"@typescript-eslint/eslint-plugin": "^5.48.1",
"@typescript-eslint/parser": "^5.48.0",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^5.54.0",
"@typescript-eslint/parser": "^5.53.0",
"@typescript-eslint/eslint-plugin": "^5.59.8",
"@typescript-eslint/parser": "^5.59.8",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.35.0",
"eslint-plugin-github": "^4.6.1",
"eslint": "^8.41.0",
"eslint-plugin-github": "^4.7.0",
"eslint-plugin-jest": "^27.2.1",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.21",
"prettier": "2.8.4",
"nodemon": "^2.0.22",
"prettier": "2.8.8",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
}
+6
View File
@@ -22,6 +22,12 @@ const defaultConfig: ConfigurationOptions = {
allow_ghsas: [],
allow_licenses: ['MIT'],
deny_licenses: [],
allow_dependencies_licenses: [
'pkg:npm/express@4.17.1',
'pkg:pip/requests',
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
],
comment_summary_in_pr: true
}
+29 -1
View File
@@ -5,6 +5,7 @@ import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
import {PackageURL} from 'packageurl-js'
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
@@ -29,6 +30,9 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const fail_on_scopes = parseList(getOptionalInput('fail-on-scopes'))
const allow_licenses = parseList(getOptionalInput('allow-licenses'))
const deny_licenses = parseList(getOptionalInput('deny-licenses'))
const allow_dependencies_licenses = parseList(
getOptionalInput('allow-dependencies-licenses')
)
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const license_check = getOptionalBoolean('license-check')
const vulnerability_check = getOptionalBoolean('vulnerability-check')
@@ -36,6 +40,7 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const head_ref = getOptionalInput('head-ref')
const comment_summary_in_pr = getOptionalBoolean('comment-summary-in-pr')
validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
validateLicenses('deny-licenses', deny_licenses)
@@ -44,6 +49,7 @@ function readInlineConfig(): ConfigurationOptionsPartial {
fail_on_scopes,
allow_licenses,
deny_licenses,
allow_dependencies_licenses,
allow_ghsas,
license_check,
vulnerability_check,
@@ -130,7 +136,8 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
'allow-licenses',
'deny-licenses',
'fail-on-scopes',
'allow-ghsas'
'allow-ghsas',
'allow-dependencies-licenses'
]
for (const key of Object.keys(data)) {
@@ -149,6 +156,11 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
validateLicenses(key, data[key])
}
// validate purls from the allow-dependencies-licenses
if (key === 'allow-dependencies-licenses') {
validatePURL(data[key])
}
// get rid of the ugly dashes from the actions conventions
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
@@ -187,3 +199,19 @@ async function getRemoteConfig(configOpts: {
throw new Error('Error fetching remote config file')
}
}
function validatePURL(allow_dependencies_licenses: string[] | undefined): void {
//validate that the provided elements of the string are in valid purl format
if (allow_dependencies_licenses === undefined) {
return
}
const invalid_purls = allow_dependencies_licenses.filter(
purl => !PackageURL.fromString(purl)
)
if (invalid_purls.length > 0) {
throw new Error(
`Invalid purl(s) in allow-dependencies-licenses: ${invalid_purls}`
)
}
return
}
+26 -4
View File
@@ -1,9 +1,14 @@
import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {Changes, ChangesSchema} from './schemas'
import {
ChangesSchema,
ComparisonResponse,
ComparisonResponseSchema
} from './schemas'
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const SnapshotWarningsHeader = 'x-github-dependency-graph-snapshot-warnings'
const octo = new retryingOctokit(
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
)
@@ -18,14 +23,31 @@ export async function compare({
repo: string
baseRef: string
headRef: string
}): Promise<Changes> {
}): Promise<ComparisonResponse> {
let snapshot_warnings = ''
const changes = await octo.paginate(
'GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
{
method: 'GET',
url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
owner,
repo,
basehead: `${baseRef}...${headRef}`
},
response => {
if (
response.headers[SnapshotWarningsHeader] &&
typeof response.headers[SnapshotWarningsHeader] === 'string'
) {
snapshot_warnings = Buffer.from(
response.headers[SnapshotWarningsHeader],
'base64'
).toString('utf-8')
}
return ChangesSchema.parse(response.data)
}
)
return ChangesSchema.parse(changes)
return ComparisonResponseSchema.parse({
changes,
snapshot_warnings
})
}
+36 -1
View File
@@ -1,17 +1,19 @@
import spdxSatisfies from 'spdx-satisfies'
import {Change, Changes} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
import {PackageURL} from 'packageurl-js'
/**
* Loops through a list of changes, filtering and returning the
* ones that don't conform to the licenses allow/deny lists.
* It will also filter out the changes which are defined in the licenseExclusions list.
*
* Keep in mind that we don't let users specify both an allow and a deny
* list in their config files, so this code works under the assumption that
* one of the two list parameters will be empty. If both lists are provided,
* we will ignore the deny list.
* @param {Change[]} changes The list of changes to filter.
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
* @param { { allow?: string[], deny?: string[], licenseExclusions?: string[]}} licenses An object with `allow`/`deny`/`licenseExclusions` keys, each containing a list of licenses.
* @returns {Promise<{Object.<string, Array.<Change>>}} A promise to a Record Object. The keys are strings, unlicensed, unresolved and forbidden. The values are a list of changes
*/
export type InvalidLicenseChangeTypes =
@@ -24,11 +26,44 @@ export async function getInvalidLicenseChanges(
licenses: {
allow?: string[]
deny?: string[]
licenseExclusions?: string[]
}
): Promise<InvalidLicenseChanges> {
const {allow, deny} = licenses
const licenseExclusions = licenses.licenseExclusions?.map(
(pkgUrl: string) => {
return PackageURL.fromString(pkgUrl)
}
)
const groupedChanges = await groupChanges(changes)
// Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
// It does by creating a new PackageURL object from the change and comparing it to the exclusions list
groupedChanges.licensed = groupedChanges.licensed.filter(change => {
if (change.package_url.length === 0) {
return true
}
const changeAsPackageURL = PackageURL.fromString(change.package_url)
// We want to find if the licenseExclussion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (
licenseExclusions !== null &&
licenseExclusions !== undefined &&
licenseExclusions.findIndex(
exclusion =>
exclusion.type === changeAsPackageURL.type &&
exclusion.name === changeAsPackageURL.name
) !== -1
) {
return false
} else {
return true
}
})
const licensedChanges: Changes = groupedChanges.licensed
const invalidLicenseChanges: InvalidLicenseChanges = {
+10 -2
View File
@@ -20,14 +20,17 @@ import {commentPr} from './comment-pr'
async function run(): Promise<void> {
try {
const config = await readConfig()
const refs = getRefs(config, github.context)
const changes = await dependencyGraph.compare({
const comparison = await dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef: refs.base,
headRef: refs.head
})
const changes = comparison.changes
const snapshot_warnings = comparison.snapshot_warnings
if (!changes) {
core.info('No Dependency Changes found. Skipping Dependency Review.')
@@ -55,7 +58,8 @@ async function run(): Promise<void> {
filteredChanges,
{
allow: config.allow_licenses,
deny: config.deny_licenses
deny: config.deny_licenses,
licenseExclusions: config.allow_dependencies_licenses
}
)
@@ -65,6 +69,10 @@ async function run(): Promise<void> {
config
)
if (snapshot_warnings) {
summary.addSnapshotWarnings(snapshot_warnings)
}
if (config.vulnerability_check) {
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity)
+6
View File
@@ -40,6 +40,7 @@ export const ConfigurationOptionsSchema = z
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).optional(),
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
@@ -73,9 +74,14 @@ export const ConfigurationOptionsSchema = z
})
export const ChangesSchema = z.array(ChangeSchema)
export const ComparisonResponseSchema = z.object({
changes: z.array(ChangeSchema),
snapshot_warnings: z.string()
})
export type Change = z.infer<typeof ChangeSchema>
export type Changes = z.infer<typeof ChangesSchema>
export type ComparisonResponse = z.infer<typeof ComparisonResponseSchema>
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
export type Severity = z.infer<typeof SeveritySchema>
export type Scope = (typeof SCOPES)[number]
+24
View File
@@ -143,6 +143,13 @@ export function addLicensesToSummary(
`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`
)
}
if (config.allow_dependencies_licenses) {
core.summary.addQuote(
`<strong>Excluded from license check</strong>: ${config.allow_dependencies_licenses.join(
', '
)}`
)
}
core.debug(
`found ${invalidLicenseChanges.unlicensed.length} unknown licenses`
@@ -215,6 +222,23 @@ export function addScannedDependencies(changes: Changes): void {
}
}
export function addSnapshotWarnings(warnings: string): void {
// For now, we want to ignore warnings that just complain
// about missing snapshots on the head SHA. This is a product
// decision to avoid presenting warnings to users who simply
// don't use snapshots.
const ignore_regex = new RegExp(/No.*snapshot.*found.*head.*/, 'i')
if (ignore_regex.test(warnings)) {
return
}
core.summary.addHeading('Snapshot Warnings', 2)
core.summary.addQuote(`${icons.warning}: ${warnings}`)
core.summary.addRaw(
'Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.'
)
}
function countLicenseIssues(
invalidLicenseChanges: InvalidLicenseChanges
): number {
+3 -1
View File
@@ -8,7 +8,9 @@ export function groupDependenciesByManifest(
): Map<string, Changes> {
const dependencies: Map<string, Changes> = new Map()
for (const change of changes) {
const manifestName = change.manifest
// If the manifest is null or empty, give it a name now to avoid
// breaking the HTML rendering later
const manifestName = change.manifest || 'Unnamed Manifest'
if (dependencies.get(manifestName) === undefined) {
dependencies.set(manifestName, [])