Compare commits

..

160 Commits

Author SHA1 Message Date
Federico Builes c94f57ba90 Add a new image for the example report. 2024-02-19 17:18:02 +01:00
Federico Builes 124fafe31e Merge branch 'issue-250' into output-comment 2024-02-19 17:12:19 +01:00
Federico Builes 26174d80a2 Merge branch 'issue-250' of https://github.com/jsoref/dependency-review-action into issue-250 2024-02-19 17:12:08 +01:00
Federico Builes a87338ac8a Update example workflow. 2024-02-19 17:10:11 +01:00
Josh Soref 64f81cd2da Expose dependency comment content 2024-02-19 11:07:56 -05:00
Josh Soref 0ca1f606a4 Report action input names 2024-02-19 11:07:42 -05:00
Josh Soref d416fb5267 Add minimal alt text to README 2024-02-19 11:07:19 -05:00
Josh Soref 81bba5eb54 Remove /en/ from doc links
The docs server will redirect based on the user's browser's
preference.
2024-02-19 11:07:07 -05:00
Josh Soref f9daaa3561 Remove obsolete reference to GHES 3.8
GHES 3.7 reached EOL 2024-01-04, as such all GHES versions should be supported.
2024-02-19 11:06:54 -05:00
Josh Soref 60c44a0894 Remove obsolete references to GHES 3.6
GHES 3.6 reached EOL 2023-09-25.
2024-02-19 11:06:54 -05:00
Federico Builes 7911825c25 Point directly to DR API. 2024-02-19 16:38:15 +01:00
Federico Builes ad040f4b88 adding dist/ 2024-02-19 16:22:53 +01:00
Josh Soref 2876926e7f Expose dependency comment content 2024-02-19 10:09:03 -05:00
Josh Soref 47a0fcbcd4 Report action input names 2024-02-19 10:06:32 -05:00
Josh Soref da507e61ac Add minimal alt text to README 2024-02-19 10:06:32 -05:00
Josh Soref 0034949d8d Remove /en/ from doc links
The docs server will redirect based on the user's browser's
preference.
2024-02-19 10:06:32 -05:00
Josh Soref f1706f5a9d Remove obsolete reference to GHES 3.8
GHES 3.7 reached EOL 2024-01-04, as such all GHES versions should be supported.
2024-02-19 09:49:21 -05:00
Josh Soref a569f6fc5c Remove obsolete references to GHES 3.6
GHES 3.6 reached EOL 2023-09-25.
2024-02-19 09:49:21 -05:00
Federico Builes fd07d42ce8 bumping to 4.1.1 2024-02-19 10:03:58 +01:00
Federico Builes 77290ae4a1 bump transitive dep on undici 2024-02-19 10:03:58 +01:00
Federico Builes 9411082069 Merge pull request #693 from actions/dependabot/npm_and_yarn/types/node-20.11.19
Bump @types/node from 20.11.17 to 20.11.19
2024-02-19 08:54:35 +01:00
dependabot[bot] 73d8c1b981 Bump @types/node from 20.11.17 to 20.11.19
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.17 to 20.11.19.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-19 01:24:57 +00:00
Federico Builes 80f10bf419 Bump to 4.1.0. 2024-02-14 08:13:14 +01:00
Federico Builes 17728c80ab Merge pull request #689 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.21.0
Bump @typescript-eslint/eslint-plugin from 6.20.0 to 6.21.0
2024-02-12 06:31:08 +01:00
dependabot[bot] 0ac4f80276 Bump @typescript-eslint/eslint-plugin from 6.20.0 to 6.21.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.20.0 to 6.21.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.21.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 05:29:22 +00:00
Federico Builes 1ebcf1475c Merge pull request #690 from actions/dependabot/npm_and_yarn/types/node-20.11.17
Bump @types/node from 20.11.10 to 20.11.17
2024-02-12 06:28:34 +01:00
Federico Builes 5777ce6aec Merge pull request #688 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.21.0
Bump @typescript-eslint/parser from 6.20.0 to 6.21.0
2024-02-12 06:28:19 +01:00
Federico Builes 37dd5f9e8a Merge pull request #687 from actions/dependabot/npm_and_yarn/ts-jest-29.1.2
Bump ts-jest from 29.1.1 to 29.1.2
2024-02-12 06:28:12 +01:00
dependabot[bot] 6c2af06a9d Bump @types/node from 20.11.10 to 20.11.17
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.10 to 20.11.17.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:14:23 +00:00
dependabot[bot] 58d70bd41a Bump @typescript-eslint/parser from 6.20.0 to 6.21.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.20.0 to 6.21.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.21.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:14:01 +00:00
dependabot[bot] 972c2b36d8 Bump ts-jest from 29.1.1 to 29.1.2
Bumps [ts-jest](https://github.com/kulshekhar/ts-jest) from 29.1.1 to 29.1.2.
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.1.1...v29.1.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:13:48 +00:00
Justin Holguín 60f93ef4a0 Merge pull request #432 from tgrall/issue-431-fail-on-severity-none
Add none as option for fail-on-severity
2024-02-11 14:00:39 -08:00
tgrall c2936a6e3e fix reviewed done by @juxtin - bad line in yml 2024-02-10 09:20:39 +01:00
Federico Builes ba2d570913 Merge pull request #682 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.20.0
Bump @typescript-eslint/eslint-plugin from 6.19.1 to 6.20.0
2024-02-05 07:57:39 +01:00
dependabot[bot] 629b4c97dd Bump @typescript-eslint/eslint-plugin from 6.19.1 to 6.20.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.19.1 to 6.20.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.20.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 06:56:33 +00:00
Federico Builes 58e8c75f3b Merge pull request #684 from actions/dependabot/npm_and_yarn/got-14.2.0
Bump got from 14.0.0 to 14.2.0
2024-02-05 07:55:50 +01:00
dependabot[bot] 8db04ed44f Bump got from 14.0.0 to 14.2.0
Bumps [got](https://github.com/sindresorhus/got) from 14.0.0 to 14.2.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.0.0...v14.2.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 06:55:44 +00:00
Federico Builes b3aa197a26 Merge pull request #683 from actions/dependabot/npm_and_yarn/prettier-3.2.5
Bump prettier from 3.2.4 to 3.2.5
2024-02-05 07:55:42 +01:00
Federico Builes 4e78eb60ef Merge pull request #681 from actions/dependabot/npm_and_yarn/types/jest-29.5.12
Bump @types/jest from 29.5.11 to 29.5.12
2024-02-05 07:54:49 +01:00
Federico Builes 65f749b96d Merge pull request #680 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.20.0
Bump @typescript-eslint/parser from 6.18.1 to 6.20.0
2024-02-05 07:54:36 +01:00
dependabot[bot] 0043ed5ccb Bump prettier from 3.2.4 to 3.2.5
Bumps [prettier](https://github.com/prettier/prettier) from 3.2.4 to 3.2.5.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.4...3.2.5)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:36 +00:00
dependabot[bot] 52933765bf Bump @types/jest from 29.5.11 to 29.5.12
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 29.5.11 to 29.5.12.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: "@types/jest"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:18 +00:00
dependabot[bot] 6a6f26102b Bump @typescript-eslint/parser from 6.18.1 to 6.20.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.18.1 to 6.20.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.20.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:11 +00:00
tgrall 8f3df4d674 fix ci failure on format-check 2024-02-02 06:09:20 +01:00
tgrall 98e8293881 Update Readme and action.yml based on review comments 2024-02-01 06:03:53 +01:00
Justin Holguín 748888b3fd Merge pull request #665 from actions/dependabot/npm_and_yarn/prettier-3.2.4
Bump prettier from 3.1.1 to 3.2.4
2024-01-31 14:19:36 -08:00
Justin Holguín 4dffb75625 Run prettier --write 2024-01-31 22:09:37 +00:00
Justin Holguín 9e50351924 Merge pull request #678 from actions/juxtin/codeql-ignore-dist
Use manual codeql config
2024-01-31 13:49:51 -08:00
Justin Holguín 0812876f7c Update codeql.yml 2024-01-31 13:44:54 -08:00
Justin Holguín 4f37a60d4f Create codeql.yml 2024-01-31 13:36:31 -08:00
dependabot[bot] c0518321c3 Bump prettier from 3.1.1 to 3.2.4
Bumps [prettier](https://github.com/prettier/prettier) from 3.1.1 to 3.2.4.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.1.1...3.2.4)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-31 18:57:22 +00:00
Justin Holguín 0229309241 Merge pull request #673 from actions/dependabot/npm_and_yarn/nodemon-3.0.3
Bump nodemon from 3.0.2 to 3.0.3
2024-01-31 10:56:20 -08:00
Jon Janego c664fc5964 Update examples.md
spelling
2024-01-31 12:43:08 -06:00
Federico Builes a7da313c35 Merge pull request #675 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.19.1
Bump @typescript-eslint/eslint-plugin from 6.18.1 to 6.19.1
2024-01-29 07:50:12 +01:00
Federico Builes 8953f45584 Merge pull request #674 from actions/dependabot/npm_and_yarn/types/node-20.11.10
Bump @types/node from 20.11.5 to 20.11.10
2024-01-29 07:49:59 +01:00
dependabot[bot] d93026fc89 Bump @typescript-eslint/eslint-plugin from 6.18.1 to 6.19.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.18.1 to 6.19.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.19.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:35:06 +00:00
dependabot[bot] 5a2ac62566 Bump @types/node from 20.11.5 to 20.11.10
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.5 to 20.11.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:34:51 +00:00
dependabot[bot] 0f007f69b1 Bump nodemon from 3.0.2 to 3.0.3
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.2...v3.0.3)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:34:40 +00:00
tgrall 05d861260a finalize testing 2024-01-28 15:54:59 +01:00
tgrall 2c526853b4 new debug test 2024-01-28 15:51:39 +01:00
tgrall 9e251a5913 dist 2024-01-28 15:00:36 +01:00
tgrall ee5bd475ba debug behavior 2024-01-28 14:59:04 +01:00
tgrall b0a705da21 Fix license printing bug in main.ts 2024-01-28 14:54:28 +01:00
tgrall 0bab6ffc2c Fix vulnerability check to print warnings instead
of failing
2024-01-28 14:54:14 +01:00
tgrall f91404ca86 set status to low when warn-only is set to true 2024-01-28 14:35:44 +01:00
tgrall d6f324d18a fix typo in readme 2024-01-28 14:24:12 +01:00
tgrall f1576849e6 package the action 2024-01-28 10:58:10 +01:00
tgrall fc49851780 merge from main and fix code review comment from @juxtin 2024-01-28 10:16:07 +01:00
Jon Janego d53388efe8 Merge pull request #671 from jonjanego/main
Create stale.yaml
2024-01-26 10:09:43 -06:00
Jon Janego 56991330a3 Update stale.yaml
assigning explicit permissions
2024-01-26 09:15:48 -06:00
Jon Janego a824acd5d7 Create stale.yaml 2024-01-25 13:49:10 -06:00
Federico Builes 935098a950 updating @types/node to Node 20 2024-01-22 07:54:40 +01:00
Federico Builes b658b91622 Merge pull request #669 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.6.3
Bump eslint-plugin-jest from 27.6.0 to 27.6.3
2024-01-22 07:40:35 +01:00
dependabot[bot] d16453ab26 Bump eslint-plugin-jest from 27.6.0 to 27.6.3
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.6.0 to 27.6.3.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.6.0...v27.6.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 06:38:10 +00:00
Federico Builes 0381eac2bc Merge pull request #667 from actions/dependabot/npm_and_yarn/eslint-plugin-prettier-5.1.3
Bump eslint-plugin-prettier from 5.1.2 to 5.1.3
2024-01-22 07:36:52 +01:00
dependabot[bot] 1967b21a03 Bump eslint-plugin-prettier from 5.1.2 to 5.1.3
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.1.2 to 5.1.3.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.2...v5.1.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 01:15:42 +00:00
Federico Builes 4cd9eb2d23 Updating docs to point to v4. 2024-01-18 14:23:52 +01:00
Federico Builes 4901385134 bump to 4.0.0 2024-01-18 13:57:38 +01:00
Federico Builes dbf82a4a5e Merge pull request #639 from takost/takost/update-to-node-20
Update action to node20
2024-01-18 13:52:05 +01:00
Federico Builes 78aeb2a948 Merge pull request #663 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.18.1
Bump @typescript-eslint/parser from 6.18.0 to 6.18.1
2024-01-15 06:39:13 +01:00
dependabot[bot] 4e510006f5 Bump @typescript-eslint/parser from 6.18.0 to 6.18.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.18.0 to 6.18.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 05:38:23 +00:00
Federico Builes 9560737c5e Merge pull request #661 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.18.1
Bump @typescript-eslint/eslint-plugin from 6.18.0 to 6.18.1
2024-01-15 06:37:15 +01:00
Federico Builes 4125f47f7e Merge pull request #660 from actions/dependabot/npm_and_yarn/types/node-16.18.70
Bump @types/node from 16.18.62 to 16.18.70
2024-01-15 06:37:05 +01:00
dependabot[bot] 07cc93e0c8 Bump @typescript-eslint/eslint-plugin from 6.18.0 to 6.18.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.18.0 to 6.18.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 01:21:13 +00:00
dependabot[bot] e2c203b8b7 Bump @types/node from 16.18.62 to 16.18.70
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.62 to 16.18.70.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 01:20:53 +00:00
Federico Builes f0b304d0bc Merge pull request #653 from actions/dependabot/npm_and_yarn/got-14.0.0
Bump got from 13.0.0 to 14.0.0
2024-01-09 13:24:33 +01:00
Federico Builes e41543eaf0 Merge pull request #656 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.18.0
Bump @typescript-eslint/parser from 6.16.0 to 6.18.0
2024-01-08 11:50:44 +01:00
dependabot[bot] 8ded6194d1 Bump @typescript-eslint/parser from 6.16.0 to 6.18.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.16.0 to 6.18.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 10:46:03 +00:00
Federico Builes b5f60d5e37 Merge pull request #657 from actions/dependabot/npm_and_yarn/typescript-5.3.3
Bump typescript from 5.3.2 to 5.3.3
2024-01-08 11:45:16 +01:00
Federico Builes 45fc3f5adc Merge pull request #655 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.18.0
Bump @typescript-eslint/eslint-plugin from 6.15.0 to 6.18.0
2024-01-08 11:44:58 +01:00
Federico Builes c8593625f2 Merge pull request #654 from actions/dependabot/npm_and_yarn/eslint-plugin-prettier-5.1.2
Bump eslint-plugin-prettier from 5.0.1 to 5.1.2
2024-01-08 11:44:42 +01:00
dependabot[bot] d2ca024914 Bump typescript from 5.3.2 to 5.3.3
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.3.2 to 5.3.3.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.3.2...v5.3.3)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:27:41 +00:00
dependabot[bot] 9649fc68a8 Bump @typescript-eslint/eslint-plugin from 6.15.0 to 6.18.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.15.0 to 6.18.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:27:04 +00:00
dependabot[bot] 2ac94ccf28 Bump eslint-plugin-prettier from 5.0.1 to 5.1.2
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.0.1 to 5.1.2.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.0.1...v5.1.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:26:42 +00:00
dependabot[bot] 925e3a5871 Bump got from 13.0.0 to 14.0.0
Bumps [got](https://github.com/sindresorhus/got) from 13.0.0 to 14.0.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v13.0.0...v14.0.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:26:34 +00:00
Henri Maurer ab6f73d40f Merge pull request #621 from actions/dependabot/npm_and_yarn/octokit-3.1.2
Bump octokit from 2.1.0 to 3.1.2
2024-01-05 09:38:43 +00:00
Henri Maurer 746e9675d6 npm run package 2024-01-05 09:37:10 +00:00
Henri Maurer 3735443721 update @octokit/* and @actions/* 2024-01-05 09:36:49 +00:00
dependabot[bot] 44bab84b22 Bump octokit from 2.1.0 to 3.1.2
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.1.0 to 3.1.2.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.1.0...v3.1.2)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-04 16:51:50 +00:00
Henri Maurer 8690720eb6 Merge pull request #652 from actions/dependabot/npm_and_yarn/octokit/webhooks-10.9.2
Bump @octokit/webhooks from 10.9.1 to 10.9.2
2024-01-04 16:48:16 +00:00
Henri Maurer e03c8a14eb npm run all 2024-01-04 16:46:59 +00:00
dependabot[bot] 194e338d30 Bump @octokit/webhooks from 10.9.1 to 10.9.2
Bumps [@octokit/webhooks](https://github.com/octokit/webhooks.js) from 10.9.1 to 10.9.2.
- [Release notes](https://github.com/octokit/webhooks.js/releases)
- [Commits](https://github.com/octokit/webhooks.js/compare/v10.9.1...v10.9.2)

---
updated-dependencies:
- dependency-name: "@octokit/webhooks"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-04 16:40:33 +00:00
Henri Maurer 1d740b64ec Merge pull request #642 from actions/dependabot/github_actions/actions/upload-artifact-4
Bump actions/upload-artifact from 3 to 4
2024-01-04 16:40:31 +00:00
Henri Maurer c74b580d73 Merge pull request #651 from actions/release-3.1.5
Bump version to 3.1.5
2024-01-04 15:06:44 +00:00
Henri Maurer cc4f6536e3 Release 3.1.5 2024-01-04 15:05:38 +00:00
Henri Maurer d2ed7c0d19 Merge pull request #649 from actions/per-page
Smaller `per_page` when requesting diff
2024-01-04 14:33:15 +00:00
Henri Maurer 9e77cc7329 npm run package 2024-01-04 10:49:05 +00:00
Henri Maurer b383a9aa6e Smaller per_page when requesting diff 2024-01-04 10:17:51 +00:00
Federico Builes 8a49820431 Merge pull request #646 from actions/dependabot/npm_and_yarn/prettier-3.1.1
Bump prettier from 3.1.0 to 3.1.1
2024-01-01 08:02:27 -05:00
Federico Builes a10a70d24c Merge pull request #645 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.16.0
Bump @typescript-eslint/parser from 6.13.1 to 6.16.0
2024-01-01 08:02:14 -05:00
dependabot[bot] 0de163860f Bump prettier from 3.1.0 to 3.1.1
Bumps [prettier](https://github.com/prettier/prettier) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.1.0...3.1.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 01:27:06 +00:00
dependabot[bot] 522f0218d0 Bump @typescript-eslint/parser from 6.13.1 to 6.16.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.13.1 to 6.16.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.16.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 01:26:56 +00:00
Federico Builes 2597ca4eee Merge pull request #640 from actions/dependabot/npm_and_yarn/eslint-8.56.0
Bump eslint from 8.53.0 to 8.56.0
2023-12-28 12:27:10 -05:00
dependabot[bot] e5c6735807 Bump eslint from 8.53.0 to 8.56.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.53.0 to 8.56.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.53.0...v8.56.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-28 15:37:40 +00:00
Federico Builes 94f992f10e Merge pull request #644 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.15.0
Bump @typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0
2023-12-28 10:36:29 -05:00
dependabot[bot] c45cbd720f Bump @typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.12.0 to 6.15.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.15.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 01:37:54 +00:00
dependabot[bot] 5ccb7d478c Bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 01:54:59 +00:00
Tatyana Kostromskaya 02456f4a00 Merge branch 'main' into takost/update-to-node-20 2023-12-14 15:08:39 +00:00
Tatyana Kostromskaya 1c9a424cbc . 2023-12-14 15:06:21 +00:00
Federico Builes 2425542aca Merge pull request #638 from actions/fix-purls
Replace pip -> pypi in PURL examples
2023-12-11 17:25:43 +01:00
Federico Builes b39e17ba5e Replace pip -> pypi in PURL examples 2023-12-11 17:23:19 +01:00
Federico Builes b8a398b675 Merge pull request #636 from actions/dependabot/npm_and_yarn/nodemon-3.0.2
Bump nodemon from 3.0.1 to 3.0.2
2023-12-11 06:04:47 +01:00
Federico Builes 1612de9646 Merge pull request #637 from actions/dependabot/npm_and_yarn/types/jest-29.5.11
Bump @types/jest from 29.5.8 to 29.5.11
2023-12-11 06:04:33 +01:00
dependabot[bot] 53de591348 Bump @types/jest from 29.5.8 to 29.5.11
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 29.5.8 to 29.5.11.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: "@types/jest"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 01:51:35 +00:00
dependabot[bot] 288d543806 Bump nodemon from 3.0.1 to 3.0.2
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 01:51:24 +00:00
Federico Builes 359e1ffa80 Merge pull request #629 from actions/dependabot/npm_and_yarn/prettier-3.1.0
Bump prettier from 3.0.3 to 3.1.0
2023-12-04 08:58:13 +01:00
Federico Builes 63e1558807 Merge pull request #630 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.13.1
Bump @typescript-eslint/parser from 6.10.0 to 6.13.1
2023-12-04 08:57:52 +01:00
dependabot[bot] 069cbabe02 Bump @typescript-eslint/parser from 6.10.0 to 6.13.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.10.0 to 6.13.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.13.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 01:25:07 +00:00
dependabot[bot] 2e3c709016 Bump prettier from 3.0.3 to 3.1.0
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.3 to 3.1.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.3...3.1.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 01:24:49 +00:00
Federico Builes 01bc87099b bumping version 2023-11-28 08:11:14 +01:00
Federico Builes 4b4f0de8e1 Merge pull request #623 from actions/fix-advisory-filters
Fix GHSA Filtering
2023-11-28 08:10:11 +01:00
Federico Builes a93fa86c77 Fixing test name. 2023-11-28 08:08:29 +01:00
Federico Builes 550520e2c5 Merge pull request #624 from actions/dependabot/npm_and_yarn/typescript-5.3.2
Bump typescript from 5.2.2 to 5.3.2
2023-11-27 07:22:56 +01:00
Federico Builes 2d0fb60634 Merge pull request #625 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.12.0
Bump @typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0
2023-11-27 07:22:47 +01:00
dependabot[bot] c07c2375ed Bump @typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.11.0 to 6.12.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.12.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 01:17:05 +00:00
dependabot[bot] 4d842d754e Bump typescript from 5.2.2 to 5.3.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.2.2 to 5.3.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.2.2...v5.3.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 01:16:38 +00:00
Federico Builes a6d4686316 adding dist 2023-11-24 14:40:48 +01:00
Federico Builes 4366dbae42 Advisory filters should not drop entire dependencies. 2023-11-24 14:40:18 +01:00
Federico Builes 50dafeb5e4 Tiny logic refactor. 2023-11-24 14:37:30 +01:00
Federico Builes 1cbb048907 Merge pull request #620 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.11.0
Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.11.0
2023-11-20 08:33:40 +01:00
dependabot[bot] ee69e92054 Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.11.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.10.0 to 6.11.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.11.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 07:29:18 +00:00
Federico Builes 5991d7a97d Merge pull request #619 from actions/dependabot/npm_and_yarn/types/node-16.18.62
Bump @types/node from 16.18.61 to 16.18.62
2023-11-20 08:27:56 +01:00
dependabot[bot] c409735e58 Bump @types/node from 16.18.61 to 16.18.62
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.61 to 16.18.62.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 01:46:41 +00:00
Federico Builes 7bbfa034e7 bumping to 3.1.3 2023-11-13 17:57:44 +01:00
Federico Builes 26f1ad9120 Merge pull request #617 from theztefan/purl-encoding-error
Fixes purl "version must be percent-encoded"
2023-11-13 17:55:23 +01:00
Stefan Petrushevski 152d8e2def Prettier 2023-11-13 17:45:48 +01:00
Stefan Petrushevski b99756ecd3 encode string for pUrl 2023-11-13 17:19:24 +01:00
Federico Builes fde92acd08 Merge pull request #611 from actions/fix-https-proxy
Fix proxy failures in 3.1.1
2023-11-08 09:14:57 +01:00
tgrall 3b37a4ef1c update documentation 2023-06-14 09:17:26 +02:00
tgrall 13c4496f31 update doc 2023-06-14 09:12:19 +02:00
tgrall 7ed3405bdc warn_only_test_ 2023-06-14 08:55:38 +02:00
tgrall 9b290a185a fix ini of warn-only param 2023-06-13 09:44:03 +02:00
tgrall 995bb847a3 new dev 2023-06-13 09:34:12 +02:00
tgrall f1e6d67732 wan only 2023-06-13 09:29:10 +02:00
tgrall d833109d4d new build 2023-06-13 08:54:16 +02:00
tgrall a3a8a9c756 new build 2023-06-12 13:56:53 +02:00
tgrall 0b053fccb4 add new parameter warn_only 2023-06-12 11:26:44 +02:00
Courtney Claessens 78f160dece Update README.md
swap order to follow what's in the table
2023-04-03 15:57:39 -04:00
tgrall cc302f4c2b fix linter/format 2023-03-20 09:07:07 +01:00
tgrall 621d03bf3a Add none as option for fail-on-severity 2023-03-18 05:21:58 +01:00
28 changed files with 4383 additions and 11102 deletions
+3 -3
View File
@@ -23,10 +23,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set Node.js 18.x
- name: Set Node.js 20.x
uses: actions/setup-node@v4
with:
node-version: 18.x
node-version: 20.x
cache: npm
- name: Install dependencies
@@ -47,7 +47,7 @@ jobs:
id: diff
# If index.js was different than expected, upload the expected version as an artifact
- uses: actions/upload-artifact@v3
- uses: actions/upload-artifact@v4
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
+2 -2
View File
@@ -17,7 +17,7 @@ jobs:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 18
node-version: 20
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
@@ -30,7 +30,7 @@ jobs:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 18
node-version: 20
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
+48
View File
@@ -0,0 +1,48 @@
name: "CodeQL"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '21 0 * * 4'
jobs:
analyze:
name: Analyze
runs-on: 'ubuntu-latest'
timeout-minutes: 360
permissions:
# required for all workflows
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
config: |
paths-ignore:
- dist/index.js
- dist/sourcemap-register.js
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
+25
View File
@@ -0,0 +1,25 @@
name: Close stale PRs
permissions:
pull-requests: write
on:
schedule:
- cron: "00 0 * * *" # runs at 00:00 daily
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9.0.0
name: Clean up stale PRs
with:
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details."
stale-pr-label: "Stale"
exempt-pr-labels: "Keep" # a "Keep" label will keep the PR from being closed as stale
days-before-pr-stale: 180 # when the PR is considered stale
days-before-pr-close: 15 # when the PR is closed by the bot,
days-before-issue-stale: -1 # prevents issues from being tagged by the bot
days-before-issue-close: -1 # prevents issues from being closed by the bot
exempt-assignees: 'advanced-security-dependency-graph'
ascending: true
+2 -2
View File
@@ -112,8 +112,8 @@ minor/patch updates.
To do this just checkout `main`, force-create a new annotated tag, and push it:
```
git tag -fa v3 -m "Updating v3 to 3.0.1"
git push origin v3 --force
git tag -fa v4 -m "Updating v4 to 4.0.1"
git push origin v4 --force
```
## Resources
+34 -29
View File
@@ -1,21 +1,21 @@
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
You can see the results on the job logs:
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
or on the job summary:
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
## Installation
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
1. Add a new YAML workflow to your `.github/workflows` folder:
@@ -33,16 +33,16 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
```
### GitHub Enterprise Server
This action is available in Enterprise Server starting with version 3.6. Make sure
Make sure
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
You can use the same workflow as above, replacing the `runs-on` value
@@ -59,33 +59,34 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
```
## Configuration options
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
\*not supported for use with GitHub Enterprise Server
†will be supported with GitHub Enterprise Server 3.8
+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
### Inline Configuration
@@ -105,7 +106,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
@@ -128,7 +129,7 @@ Start by specifying that you will be using an external configuration file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: './.github/dependency-review-config.yml'
```
@@ -154,7 +155,11 @@ For more examples of how to use this action and its configuration options, see t
## Blocking pull requests
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
## Outputs
`comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
## Getting help
+5
View File
@@ -26,6 +26,11 @@ test('it reads custom configs', async () => {
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('it defaults to false for warn-only', async () => {
const config = await readConfig()
expect(config.warn_only).toEqual(false)
})
test('it defaults to empty allow/deny lists ', async () => {
const config = await readConfig()
+1 -1
View File
@@ -55,7 +55,7 @@ const pipChange: Change = {
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
+118 -24
View File
@@ -19,7 +19,7 @@ const npmChange: Change = {
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_ghsa_id: 'vulnerable-ghsa-id',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
@@ -39,13 +39,13 @@ const rubyChange: Change = {
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_ghsa_id: 'moderate-ghsa-id',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_ghsa_id: 'low-ghsa-id',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
@@ -65,6 +65,64 @@ const noVulnNpmChange: Change = {
vulnerabilities: []
}
const lodashChange: Change = {
change_type: 'added',
manifest: 'package.json',
ecosystem: 'npm',
name: 'lodash',
version: '4.17.0',
package_url: 'pkg:npm/lodash@4.17.0',
license: 'MIT',
source_repository_url: 'https://github.com/lodash/lodash',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'GHSA-jf85-cpcp-j695',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-jf85-cpcp-j695'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-4xc9-xhrj-v574',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-4xc9-xhrj-v574'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-35jh-r3h4-6jhm',
advisory_summary: 'Command Injection in lodash',
advisory_url: 'https://github.com/advisories/GHSA-35jh-r3h4-6jhm'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-p6mc-m468-83gw',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-p6mc-m468-83gw'
},
{
severity: 'moderate',
advisory_ghsa_id: 'GHSA-x5rq-j2xg-h7qm',
advisory_summary:
'Regular Expression Denial of Service (ReDoS) in lodash',
advisory_url: 'https://github.com/advisories/GHSA-x5rq-j2xg-h7qm'
},
{
severity: 'moderate',
advisory_ghsa_id: 'GHSA-29mw-wpgm-hmr9',
advisory_summary:
'Regular Expression Denial of Service (ReDoS) in lodash',
advisory_url: 'https://github.com/advisories/GHSA-29mw-wpgm-hmr9'
},
{
severity: 'low',
advisory_ghsa_id: 'GHSA-fvqr-27wr-82fm',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-fvqr-27wr-82fm'
}
]
}
test('it properly filters changes by severity', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesBySeverity('high', changes)
@@ -99,25 +157,61 @@ test('it properly handles undefined advisory IDs', async () => {
test('it properly filters changes with allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
result = filterAllowedAdvisories(['first-random_string'], changes)
expect(result).toEqual([rubyChange, noVulnNpmChange])
result = filterAllowedAdvisories(
['second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([npmChange, noVulnNpmChange])
result = filterAllowedAdvisories(
['first-random_string', 'second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([noVulnNpmChange])
// if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change
result = filterAllowedAdvisories(['second-random_string'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
const fakeGHSAChanges = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(fakeGHSAChanges).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
test('it properly filters only allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
const oldVulns = [
...npmChange.vulnerabilities,
...rubyChange.vulnerabilities,
...noVulnNpmChange.vulnerabilities
]
const vulnerable = filterAllowedAdvisories(['vulnerable-ghsa-id'], changes)
const newVulns = vulnerable.map(change => change.vulnerabilities).flat()
expect(newVulns.length).toEqual(oldVulns.length - 1)
expect(newVulns).not.toContainEqual(
expect.objectContaining({advisory_ghsa_id: 'vulnerable-ghsa-id'})
)
})
test('does not drop dependencies when filtering by GHSA', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
const result = filterAllowedAdvisories(
['moderate-ghsa-id', 'low-ghsa-id', 'GHSA-jf85-cpcp-j695'],
changes
)
expect(result.map(change => change.name)).toEqual(
changes.map(change => change.name)
)
})
test('it properly filters multiple GHSAs', async () => {
const allowedGHSAs = ['vulnerable-ghsa-id', 'moderate-ghsa-id', 'low-ghsa-id']
const changes = [npmChange, rubyChange, noVulnNpmChange]
const oldVulns = changes.map(change => change.vulnerabilities).flat()
const result = filterAllowedAdvisories(allowedGHSAs, changes)
const newVulns = result.map(change => change.vulnerabilities).flat()
expect(newVulns.length).toEqual(oldVulns.length - 3)
})
test('it filters out GHSA dependencies', async () => {
const lodash = filterAllowedAdvisories(
['GHSA-jf85-cpcp-j695'],
[lodashChange]
)[0]
// the filter should have removed a single GHSA from the list
const expected = lodashChange.vulnerabilities.filter(
vuln => vuln.advisory_ghsa_id !== 'GHSA-jf85-cpcp-j695'
)
expect(expected.length).toEqual(lodashChange.vulnerabilities.length - 1)
expect(lodash.vulnerabilities).toEqual(expected)
})
+7 -4
View File
@@ -55,7 +55,7 @@ const pipChange: Change = {
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
@@ -183,7 +183,7 @@ test('it does not filter out changes that are on the exclusions list', async ()
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
@@ -199,7 +199,7 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
@@ -213,7 +213,10 @@ test('it does filters out changes if they are not on the exclusions list', async
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/notmypackage-1@1.1.1', 'pkg:npm/alsonot@1.0.2']
licenseExclusions: [
'pkg:pypi/notmypackage-1@1.1.1',
'pkg:npm/alsonot@1.0.2'
]
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
+2 -1
View File
@@ -28,7 +28,8 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
retry_on_snapshot_warnings_timeout: 120,
warn_only: false
}
const changesWithEmptyManifests: Changes = [
+2 -1
View File
@@ -18,7 +18,8 @@ export function clearInputs(): void {
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
'COMMENT-SUMMARY-IN-PR',
'WARN-ONLY'
]
// eslint-disable-next-line github/array-foreach
+12 -4
View File
@@ -30,7 +30,7 @@ inputs:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-dependencies-licenses:
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
required: false
allow-ghsas:
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
@@ -48,10 +48,10 @@ inputs:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
required: false
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
required: false
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings
@@ -61,6 +61,14 @@ inputs:
description: Number of seconds to wait before stopping snapshot retries.
required: false
default: 120
warn-only:
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
required: false
default: false
outputs:
comment-content:
description: Prepared dependency report comment
runs:
using: 'node16'
using: 'node20'
main: 'dist/index.js'
Generated Vendored
+3568 -9819
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+11 -129
View File
@@ -344,6 +344,17 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-paginate-graphql
MIT
MIT License Copyright (c) 2019 Octokit contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-paginate-rest
MIT
MIT License Copyright (c) 2019 Octokit contributors
@@ -503,16 +514,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@vercel/ncc
MIT
Copyright 2018 ZEIT, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
aggregate-error
MIT
MIT License
@@ -1068,30 +1069,6 @@ Apache License
limitations under the License.
fromentries
MIT
The MIT License (MIT)
Copyright (c) Feross Aboukhadijeh
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
indent-string
MIT
MIT License
@@ -1105,31 +1082,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
is-plain-object
MIT
The MIT License (MIT)
Copyright (c) 2014-2017, Jon Schlinkert.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
jsonwebtoken
MIT
The MIT License (MIT)
@@ -1523,32 +1475,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
node-fetch
MIT
The MIT License (MIT)
Copyright (c) 2016 David Frank
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
octokit
MIT
The MIT License
@@ -1742,9 +1668,6 @@ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
tr46
MIT
tunnel
MIT
The MIT License (MIT)
@@ -1844,47 +1767,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
webidl-conversions
BSD-2-Clause
# The BSD 2-Clause License
Copyright (c) 2014, Domenic Denicola
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
whatwg-url
MIT
The MIT License (MIT)
Copyright (c) 20152016 Sebastian Mayr
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
wrappy
ISC
The ISC License
+47 -14
View File
@@ -1,4 +1,4 @@
# Examples on how to use the Dependancy Review Action
# Examples on how to use the Dependency Review Action
## Basic Usage
@@ -20,7 +20,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
```
## Using an inline configuration
@@ -41,7 +41,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
@@ -62,7 +62,7 @@ allow_licenses:
- 'BSD-2-Clause'
```
The Dependancy Review Action workflow file will then look like this:
The Dependency Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
@@ -78,7 +78,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: './.github/dependency-review-config.yml'
```
@@ -105,7 +105,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
```
@@ -132,7 +132,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo-private/dependency-review-config.yml@main'
external-repo-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
@@ -157,13 +157,46 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always
```
## Getting the results of the action in a later step
Using the `comment-content` output you can get the results of the action in a workflow step.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
id: review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
- name: 'Report'
if: always() # make sure this step runs even if the previous failed
shell: bash
env:
comment: ${{ steps.review.outputs.comment-content }}
run: |
echo "$comment" # do something with the comment
```
## Exclude dependencies from the license check
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.
@@ -185,12 +218,12 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests'
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
```
If we were to use configuration file, the configuration would look like this:
@@ -202,7 +235,7 @@ allow-licenses:
- 'BSD-2-Clause'
allow-dependencies-licenses:
- 'pkg:npm/loadash'
- 'pkg:pip/requests'
- 'pkg:pypi/requests'
```
## Only check for vulnerabilities
@@ -224,7 +257,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
comment-summary-in-pr: always
@@ -253,7 +286,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
@@ -287,7 +320,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 60
+383 -1001
View File
File diff suppressed because it is too large Load Diff
+17 -17
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.1.2",
"version": "4.1.1",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -26,36 +26,36 @@
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.1",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^5.0.4",
"@octokit/request-error": "^2.1.0",
"@types/jest": "^29.5.5",
"@actions/github": "^6.0.0",
"@octokit/plugin-retry": "^6.0.1",
"@octokit/request-error": "^5.0.1",
"@types/jest": "^29.5.12",
"ansi-styles": "^6.2.1",
"got": "^13.0.0",
"got": "^14.2.0",
"jest": "^29.7.0",
"octokit": "^2.1.0",
"octokit": "^3.1.2",
"packageurl-js": "^1.2.0",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"ts-jest": "^29.1.1",
"ts-jest": "^29.1.2",
"yaml": "^2.3.4",
"zod": "^3.22.3"
},
"devDependencies": {
"@types/node": "^16.18.58",
"@types/node": "^20",
"@types/spdx-expression-parse": "^3.0.4",
"@types/spdx-satisfies": "^0.1.1",
"@typescript-eslint/eslint-plugin": "^6.9.1",
"@typescript-eslint/parser": "^6.9.1",
"@typescript-eslint/eslint-plugin": "^6.21.0",
"@typescript-eslint/parser": "^6.21.0",
"@vercel/ncc": "^0.38.0",
"esbuild-register": "^3.5.0",
"eslint": "^8.52.0",
"eslint": "^8.56.0",
"eslint-plugin-github": "^4.10.1",
"eslint-plugin-jest": "^27.6.0",
"eslint-plugin-prettier": "^5.0.1",
"eslint-plugin-jest": "^27.6.3",
"eslint-plugin-prettier": "^5.1.3",
"js-yaml": "^4.1.0",
"nodemon": "^3.0.1",
"prettier": "3.0.3",
"typescript": "^5.2.2"
"nodemon": "^3.0.3",
"prettier": "3.2.5",
"typescript": "^5.3.3"
}
}
+5 -4
View File
@@ -26,13 +26,14 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [],
allow_dependencies_licenses: [
'pkg:npm/express@4.17.1',
'pkg:pip/requests',
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
'pkg:pypi/requests',
'pkg:pypi/certifi',
'pkg:pypi/pycrypto@2.6.1'
],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
retry_on_snapshot_warnings_timeout: 120,
warn_only: false
}
const tmpDir = path.resolve(__dirname, '../tmp')
+20 -4
View File
@@ -3,6 +3,7 @@ import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {RequestError} from '@octokit/request-error'
import {ConfigurationOptions} from './schemas'
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const octo = new retryingOctokit(
@@ -12,7 +13,22 @@ const octo = new retryingOctokit(
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
export async function commentPr(summary: typeof core.summary): Promise<void> {
export async function commentPr(
summary: typeof core.summary,
config: ConfigurationOptions
): Promise<void> {
const commentContent = summary.stringify()
core.setOutput('comment-content', commentContent)
if (
config.comment_summary_in_pr !== 'always' &&
config.comment_summary_in_pr === 'on-failure' &&
process.exitCode !== core.ExitCode.Failure
) {
return
}
if (!github.context.payload.pull_request) {
core.warning(
'Not in the context of a pull request. Skipping comment creation.'
@@ -20,7 +36,7 @@ export async function commentPr(summary: typeof core.summary): Promise<void> {
return
}
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`
try {
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)
@@ -74,8 +90,8 @@ async function findCommentByMarker(
)
for await (const {data: comments} of commentsIterator) {
const existingComment = comments.find(
comment => comment.body?.includes(commentBodyIncludes)
const existingComment = comments.find(comment =>
comment.body?.includes(commentBodyIncludes)
)
if (existingComment) return existingComment.id
}
+3 -1
View File
@@ -47,6 +47,7 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const retry_on_snapshot_warnings_timeout = getOptionalNumber(
'retry-on-snapshot-warnings-timeout'
)
const warn_only = getOptionalBoolean('warn-only')
validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
@@ -67,7 +68,8 @@ function readInlineConfig(): ConfigurationOptionsPartial {
head_ref,
comment_summary_in_pr,
retry_on_snapshot_warnings,
retry_on_snapshot_warnings_timeout
retry_on_snapshot_warnings_timeout,
warn_only
}
return Object.fromEntries(
+2 -1
View File
@@ -31,7 +31,8 @@ export async function compare({
url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
owner,
repo,
basehead: `${baseRef}...${headRef}`
basehead: `${baseRef}...${headRef}`,
per_page: 5
},
response => {
if (
+23 -13
View File
@@ -1,5 +1,13 @@
import {Changes, Severity, SEVERITIES, Scope} from './schemas'
/**
* Filters changes by a severity level. Only vulnerable
* dependencies will be returned.
*
* @param severity - The severity level to filter by.
* @param changes - The array of changes to filter.
* @returns The filtered array of changes that match the specified severity level and have vulnerabilities.
*/
export function filterChangesBySeverity(
severity: Severity,
changes: Changes
@@ -31,7 +39,14 @@ export function filterChangesBySeverity(
filteredChanges = filteredChanges.filter(
change => change.vulnerabilities.length > 0
)
return filteredChanges
// only report vulnerability additions
return filteredChanges.filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
)
}
export function filterChangesByScopes(
@@ -67,25 +82,20 @@ export function filterAllowedAdvisories(
return changes
}
const filteredChanges = changes.filter(change => {
const filteredChanges = changes.map(change => {
const noAdvisories =
change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0
if (noAdvisories) {
return true
return change
}
const newChange = {...change}
newChange.vulnerabilities = change.vulnerabilities.filter(
vuln => !ghsas.includes(vuln.advisory_ghsa_id)
)
let allAllowedAdvisories = true
// if there's at least one advisory that is not allowlisted, we will keep the change
for (const vulnerability of change.vulnerabilities) {
if (!ghsas.includes(vulnerability.advisory_ghsa_id)) {
allAllowedAdvisories = false
}
if (!allAllowedAdvisories) {
return true
}
}
return newChange
})
return filteredChanges
+5 -2
View File
@@ -21,16 +21,19 @@ export function getRefs(
if (!base_ref && !head_ref) {
throw new Error(
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
'config options, or by running a `pull_request`/`pull_request_target` workflow.'
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
'`pull_request`/`pull_request_target` workflow.'
)
} else if (!base_ref) {
throw new Error(
'A base ref must be provided, either via the `base_ref` config option, ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
'`base-ref` workflow action option, or by running a ' +
'`pull_request`/`pull_request_target` workflow.'
)
} else if (!head_ref) {
throw new Error(
'A head ref must be provided, either via the `head_ref` config option, ' +
'`head-ref` workflow action option, or by running a ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
)
}
+4 -2
View File
@@ -32,7 +32,7 @@ export async function getInvalidLicenseChanges(
const {allow, deny} = licenses
const licenseExclusions = licenses.licenseExclusions?.map(
(pkgUrl: string) => {
return PackageURL.fromString(pkgUrl)
return PackageURL.fromString(encodeURI(pkgUrl))
}
)
@@ -45,7 +45,9 @@ export async function getInvalidLicenseChanges(
return true
}
const changeAsPackageURL = PackageURL.fromString(change.package_url)
const changeAsPackageURL = PackageURL.fromString(
encodeURI(change.package_url)
)
// We want to find if the licenseExclussion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
+31 -22
View File
@@ -80,21 +80,24 @@ async function run(): Promise<void> {
return
}
const minSeverity = config.fail_on_severity
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
const filteredChanges = filterAllowedAdvisories(
config.allow_ghsas,
scopedChanges
)
const failOnSeverityParams = config.fail_on_severity
const warnOnly = config.warn_only
let minSeverity: Severity = 'low'
// If failOnSeverityParams is not set or warnOnly is true, the minSeverity is low, to allow all vulnerabilities to be reported as warnings
if (failOnSeverityParams && !warnOnly) {
minSeverity = failOnSeverityParams
}
const vulnerableChanges = filterChangesBySeverity(
minSeverity,
filteredChanges
).filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
)
const invalidLicenseChanges = await getInvalidLicenseChanges(
@@ -128,11 +131,11 @@ async function run(): Promise<void> {
if (config.vulnerability_check) {
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
}
if (config.license_check) {
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges)
printLicensesBlock(invalidLicenseChanges, warnOnly)
}
if (config.deny_packages || config.deny_groups) {
summary.addDeniedToSummary(deniedChanges)
@@ -141,13 +144,7 @@ async function run(): Promise<void> {
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
if (
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
) {
await commentPr(core.summary)
}
await commentPr(core.summary, config)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
@@ -171,19 +168,25 @@ async function run(): Promise<void> {
function printVulnerabilitiesBlock(
addedChanges: Changes,
minSeverity: Severity
minSeverity: Severity,
warnOnly: boolean
): void {
let failed = false
let vulFound = false
core.group('Vulnerabilities', async () => {
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
failed = true
vulFound = true
}
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
if (vulFound) {
const msg = 'Dependency review detected vulnerable packages.'
if (warnOnly) {
core.warning(msg)
} else {
core.setFailed(msg)
}
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
@@ -206,13 +209,19 @@ function printChangeVulnerabilities(change: Change): void {
}
function printLicensesBlock(
invalidLicenseChanges: Record<string, Changes>
invalidLicenseChanges: Record<string, Changes>,
warnOnly: boolean
): void {
core.group('Licenses', async () => {
if (invalidLicenseChanges.forbidden.length > 0) {
core.info('\nThe following dependencies have incompatible licenses:')
printLicensesError(invalidLicenseChanges.forbidden)
core.setFailed('Dependency review detected incompatible licenses.')
const msg = 'Dependency review detected incompatible licenses.'
if (warnOnly) {
core.warning(msg)
} else {
core.setFailed(msg)
}
}
if (invalidLicenseChanges.unresolved.length > 0) {
core.warning(
+2 -1
View File
@@ -59,7 +59,8 @@ export const ConfigurationOptionsSchema = z
),
z.enum(['always', 'never', 'on-failure'])
])
.default('never')
.default('never'),
warn_only: z.boolean().default(false)
})
.transform(config => {
if (config.comment_summary_in_pr === true) {