Compare commits

...

81 Commits

Author SHA1 Message Date
Federico Builes 7d90b4f05f bumping to 3.0.7 2023-08-09 15:27:02 +02:00
Federico Builes 02aa4b66a7 Merge pull request #544 from adrienpessu/main
Add an option to deny packages or groups of packages
2023-08-09 15:25:21 +02:00
Federico Builes fe2a482baf Apply suggestions from code review 2023-08-09 15:24:26 +02:00
Adrien Pessu ce14e1f894 improve example 2023-08-08 17:21:30 +02:00
Adrien Pessu eacc0328b1 improve example 2023-08-08 17:10:23 +02:00
Adrien Pessu 98aae180cb debug 2023-08-08 16:56:01 +02:00
Adrien Pessu c280c303e6 debug 2023-08-08 16:51:40 +02:00
Adrien Pessu 1db9156f85 change from name of the package to the package url to avoid conflict between 2 dependencies with the same name but for different ecosystems 2023-08-08 16:34:23 +02:00
Adrien Pessu c462e2e50e add example 2023-08-08 10:12:55 +02:00
Adrien Pessu 0796abb9cf add changes on js.map file 2023-08-07 17:17:27 +02:00
Adrien Pessu eab07548a7 Merge remote-tracking branch 'upstream/main' 2023-08-07 14:25:57 +02:00
Adrien Pessu 00f1f5b642 add tests and docs 2023-08-07 14:07:46 +02:00
Adrien Pessu 6862f6f65f add groups 2023-08-07 14:07:26 +02:00
Adrien Pessu 2f38ecd3fd add deny_list as paramter 2023-08-07 14:07:26 +02:00
Adrien Pessu 309d082d5f initial commit 2023-08-07 14:07:26 +02:00
Federico Builes 0e6dece6c7 update more dependencies 2023-08-07 14:07:26 +02:00
dependabot[bot] 942409c937 Bump @typescript-eslint/eslint-plugin from 5.60.1 to 6.2.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.60.1 to 6.2.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.2.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 14:07:26 +02:00
Federico Builes 6af66592ad dependbot updates 2023-08-07 14:07:26 +02:00
dependabot[bot] d5a7e34e39 Bump prettier from 2.8.8 to 3.0.0
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.8 to 3.0.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.8...3.0.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 14:07:25 +02:00
Federico Builes 328a08ea42 Merge pull request #541 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.2.1
Bump @typescript-eslint/parser from 6.2.0 to 6.2.1
2023-08-07 10:20:46 +02:00
Federico Builes 3f88e84ced Merge pull request #542 from actions/dependabot/npm_and_yarn/prettier-3.0.1
Bump prettier from 3.0.0 to 3.0.1
2023-08-07 10:07:55 +02:00
dependabot[bot] 4463280ae5 Bump prettier from 3.0.0 to 3.0.1
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.0...3.0.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 01:49:54 +00:00
dependabot[bot] ae11b24682 Bump @typescript-eslint/parser from 6.2.0 to 6.2.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.2.0 to 6.2.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.2.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 01:49:41 +00:00
Federico Builes 1e70f06e66 Merge pull request #537 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.2.0
Bump @typescript-eslint/eslint-plugin from 5.60.1 to 6.2.0
2023-07-31 18:03:04 +02:00
Federico Builes 0ea885e7c5 update more dependencies 2023-07-31 18:01:31 +02:00
dependabot[bot] 498c8717d3 Bump @typescript-eslint/eslint-plugin from 5.60.1 to 6.2.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.60.1 to 6.2.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.2.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-31 06:42:19 +00:00
Federico Builes fc8a06c798 Merge pull request #526 from actions/dependabot/npm_and_yarn/prettier-3.0.0
Bump prettier from 2.8.8 to 3.0.0
2023-07-31 08:40:45 +02:00
Federico Builes 8c593e9822 dependbot updates 2023-07-31 08:39:38 +02:00
Federico Builes 98d4fd7247 Merge pull request #534 from rajbos/main
Make GHES support / setup more clear
2023-07-19 16:27:05 +02:00
Federico Builes 0a68c5dfa6 Update README.md 2023-07-19 16:26:44 +02:00
Federico Builes f015f96b55 Update README.md 2023-07-19 16:26:39 +02:00
Rob Bos 3290c85b0f Make GHES support more clear 2023-07-19 13:05:42 +02:00
dependabot[bot] 6b0d5029d1 Bump prettier from 2.8.8 to 3.0.0
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.8 to 3.0.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.8...3.0.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-10 01:39:16 +00:00
cnagadya 090b9fe2a1 Merge pull request #524 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.60.1
Bump @typescript-eslint/eslint-plugin from 5.60.0 to 5.60.1
2023-07-03 10:32:12 +02:00
dependabot[bot] c5e57016d8 Bump @typescript-eslint/eslint-plugin from 5.60.0 to 5.60.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.60.0 to 5.60.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-03 08:18:28 +00:00
cnagadya 8cf6fcb693 Merge pull request #523 from actions/dependabot/npm_and_yarn/eslint-8.44.0
Bump eslint from 8.43.0 to 8.44.0
2023-07-03 10:17:48 +02:00
cnagadya 9bf5053b8a Merge pull request #522 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.60.1
Bump @typescript-eslint/parser from 5.60.0 to 5.60.1
2023-07-03 10:17:36 +02:00
cnagadya a213934318 Merge pull request #521 from actions/dependabot/npm_and_yarn/types/node-16.18.38
Bump @types/node from 16.18.36 to 16.18.38
2023-07-03 10:17:27 +02:00
dependabot[bot] e301b1bd30 Bump eslint from 8.43.0 to 8.44.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.43.0 to 8.44.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.43.0...v8.44.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-03 01:29:06 +00:00
dependabot[bot] c730d72f23 Bump @typescript-eslint/parser from 5.60.0 to 5.60.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.60.0 to 5.60.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-03 01:28:46 +00:00
dependabot[bot] a65c766d12 Bump @types/node from 16.18.36 to 16.18.38
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.36 to 16.18.38.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-03 01:28:23 +00:00
Federico Builes 7599c4bc8e Merge pull request #519 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-5.0.4
Bump @octokit/plugin-retry from 5.0.2 to 5.0.4
2023-06-26 15:38:01 +02:00
Federico Builes 0f4e96f7e8 adding build files 2023-06-26 15:36:01 +02:00
dependabot[bot] a234018432 Bump @octokit/plugin-retry from 5.0.2 to 5.0.4
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 5.0.2 to 5.0.4.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v5.0.2...v5.0.4)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 13:29:15 +00:00
Federico Builes 328eb79003 Merge pull request #518 from actions/dependabot/npm_and_yarn/octokit-2.1.0
Bump octokit from 2.0.19 to 2.1.0
2023-06-26 15:28:32 +02:00
Federico Builes 5bb28e508e npm i 2023-06-26 15:26:17 +02:00
Federico Builes 11a4a75728 Merge pull request #516 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.60.0
Bump @typescript-eslint/eslint-plugin from 5.59.11 to 5.60.0
2023-06-26 07:10:03 +02:00
dependabot[bot] c5ac6e1eba Bump @typescript-eslint/eslint-plugin from 5.59.11 to 5.60.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.11 to 5.60.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 05:08:33 +00:00
Federico Builes a3753ba2c6 Merge pull request #520 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.2.2
Bump eslint-plugin-jest from 27.2.1 to 27.2.2
2023-06-26 07:03:16 +02:00
Federico Builes ec3136c4ba Merge pull request #517 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.60.0
Bump @typescript-eslint/parser from 5.59.11 to 5.60.0
2023-06-26 07:03:01 +02:00
dependabot[bot] 38b79e2fbe Bump eslint-plugin-jest from 27.2.1 to 27.2.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.2.1 to 27.2.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.2.1...v27.2.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 01:30:13 +00:00
dependabot[bot] 01a70a14e2 Bump octokit from 2.0.19 to 2.1.0
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.19 to 2.1.0.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.19...v2.1.0)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 01:29:16 +00:00
dependabot[bot] d32ada785e Bump @typescript-eslint/parser from 5.59.11 to 5.60.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.11 to 5.60.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 01:28:47 +00:00
Federico Builes c61b0a3941 Merge pull request #510 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.11
Bump @typescript-eslint/eslint-plugin from 5.59.9 to 5.59.11
2023-06-19 07:54:57 +02:00
Federico Builes 38c1dbdffa Merge branch 'main' into dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.11 2023-06-19 07:00:21 +02:00
Federico Builes 84fe280943 Merge pull request #512 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.11
Bump @typescript-eslint/parser from 5.59.9 to 5.59.11
2023-06-19 06:58:36 +02:00
Federico Builes cf65a75df3 Merge pull request #511 from actions/dependabot/npm_and_yarn/eslint-8.43.0
Bump eslint from 8.41.0 to 8.43.0
2023-06-19 06:58:17 +02:00
dependabot[bot] 3d532eeb2e Bump @typescript-eslint/eslint-plugin from 5.59.9 to 5.59.11
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.9 to 5.59.11.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.11/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-19 04:52:17 +00:00
dependabot[bot] 2a14180549 Bump @typescript-eslint/parser from 5.59.9 to 5.59.11
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.9 to 5.59.11.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.11/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-19 04:52:17 +00:00
dependabot[bot] 3958f9d2c8 Bump eslint from 8.41.0 to 8.43.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.41.0 to 8.43.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.41.0...v8.43.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-19 04:52:12 +00:00
Federico Builes d561324ef9 Merge pull request #509 from actions/dependabot/npm_and_yarn/types/node-16.18.36
Bump @types/node from 16.18.35 to 16.18.36
2023-06-19 06:51:36 +02:00
dependabot[bot] 5c03808159 Bump @types/node from 16.18.35 to 16.18.36
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.35 to 16.18.36.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-19 01:58:19 +00:00
Federico Builes 9617594ce4 Merge pull request #506 from actions/dependabot/npm_and_yarn/octokit-2.0.19
update octokit, regenerate dist
2023-06-12 07:29:57 +02:00
Federico Builes c10600ad00 update octokit, regenerate dist 2023-06-12 07:28:23 +02:00
Federico Builes 86477f1ea0 Merge pull request #504 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.9
Bump @typescript-eslint/eslint-plugin from 5.59.8 to 5.59.9
2023-06-12 07:19:03 +02:00
Federico Builes b6ef88155e Merge pull request #505 from actions/dependabot/npm_and_yarn/types/node-16.18.35
Bump @types/node from 16.18.34 to 16.18.35
2023-06-12 07:18:49 +02:00
Federico Builes 1c01b75438 Merge pull request #503 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-5.0.2
Bump @octokit/plugin-retry from 5.0.0 to 5.0.2
2023-06-12 07:18:36 +02:00
dependabot[bot] 1590d3f795 Bump @typescript-eslint/eslint-plugin from 5.59.8 to 5.59.9
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.8 to 5.59.9.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.9/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-12 05:17:03 +00:00
Federico Builes 90de8e47b4 adding dist 2023-06-12 07:16:52 +02:00
Federico Builes 6d3699baca Merge pull request #502 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.9
Bump @typescript-eslint/parser from 5.59.8 to 5.59.9
2023-06-12 07:15:59 +02:00
dependabot[bot] 87e767d41f Bump @types/node from 16.18.34 to 16.18.35
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.34 to 16.18.35.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-12 01:59:53 +00:00
dependabot[bot] 554d5fa52b Bump @octokit/plugin-retry from 5.0.0 to 5.0.2
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 5.0.0 to 5.0.2.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v5.0.0...v5.0.2)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-12 01:59:03 +00:00
dependabot[bot] 983fa12c36 Bump @typescript-eslint/parser from 5.59.8 to 5.59.9
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.8 to 5.59.9.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.9/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-12 01:58:41 +00:00
Federico Builes 0342e75832 Merge pull request #500 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-5.0.0
Bump @octokit/plugin-retry from 4.1.3 to 5.0.0
2023-06-05 07:14:34 +02:00
Federico Builes 3daf1c6551 Updating dist 2023-06-05 07:13:53 +02:00
Federico Builes 16cbdf9d97 Merge pull request #498 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.8.0
Bump eslint-plugin-github from 4.7.0 to 4.8.0
2023-06-05 07:09:55 +02:00
Federico Builes 59a0ce5dc2 Merge pull request #497 from actions/dependabot/npm_and_yarn/got-13.0.0
Bump got from 12.6.0 to 13.0.0
2023-06-05 07:08:54 +02:00
dependabot[bot] 6cc98d3032 Bump @octokit/plugin-retry from 4.1.3 to 5.0.0
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 4.1.3 to 5.0.0.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v4.1.3...v5.0.0)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-05 01:59:54 +00:00
dependabot[bot] 617fd3907e Bump eslint-plugin-github from 4.7.0 to 4.8.0
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.7.0 to 4.8.0.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.7.0...v4.8.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-05 01:59:21 +00:00
dependabot[bot] 537fc8f28d Bump got from 12.6.0 to 13.0.0
Bumps [got](https://github.com/sindresorhus/got) from 12.6.0 to 13.0.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.6.0...v13.0.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-05 01:58:58 +00:00
Federico Builes 1360a344cc Merge pull request #494 from actions/fix-purl-bug
Empty PURLs should not block the action from running
2023-05-31 17:11:07 +02:00
16 changed files with 6281 additions and 3405 deletions
+17 -15
View File
@@ -1,4 +1,4 @@
# dependency-review-action
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
@@ -43,7 +43,7 @@ This action is available in Enterprise Server starting with version 3.6. Make su
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
are enabled.
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
You can use the same workflow as above, replacing the `runs-on` value
with the label of any of your runners (the default label
@@ -66,18 +66,20 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| Option | Usage | Possible values | Default value |
|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|---------------|
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
\*not supported for use with GitHub Enterprise Server
@@ -144,7 +146,7 @@ For more examples of how to use this action and its configuration options, see t
### Considerations
- Checking for licenses is not supported on Enterprise Server.
- Checking for licenses is not supported on Enterprise Server as the API does not return license information.
- The action will only accept one of the two `license` parameters; an error will be raised if you provide both.
- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
+166
View File
@@ -0,0 +1,166 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
let getDeniedChanges: Function
const npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
const rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const pipChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const mvnChange: Change = {
change_type: 'added',
manifest: 'pom.xml',
ecosystem: 'maven',
name: 'org.apache.logging.log4j:log4j-core',
version: '2.15.0',
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
license: 'Apache-2.0',
source_repository_url:
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
scope: 'unknown',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
jest.mock('@actions/core')
const mockOctokit = {
rest: {
licenses: {
getForRepo: jest
.fn()
.mockReturnValue({data: {license: {spdx_id: 'AGPL'}}})
}
}
}
jest.mock('octokit', () => {
return {
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
Octokit: class {
constructor() {
return mockOctokit
}
}
}
})
beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getDeniedChanges} = require('../src/deny'))
})
test('it adds packages in the deny packages list', async () => {
const changes: Changes = [npmChange, rubyChange]
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
[]
)
expect(deniedChanges[0]).toBe(rubyChange)
expect(deniedChanges.length).toEqual(1)
})
test('it adds packages in the deny group list', async () => {
const changes: Changes = [mvnChange, rubyChange]
const deniedChanges = await getDeniedChanges(
changes,
[],
['pkg:maven/org.apache.logging.log4j']
)
expect(deniedChanges[0]).toBe(mvnChange)
expect(deniedChanges.length).toEqual(1)
})
test('it adds packages outside of the deny lists', async () => {
const changes: Changes = [npmChange, pipChange]
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
['pkg:maven:org.apache.logging.log4j']
)
expect(deniedChanges.length).toEqual(0)
})
+31 -4
View File
@@ -24,6 +24,8 @@ const defaultConfig: ConfigurationOptions = {
allow_ghsas: [],
allow_licenses: [],
deny_licenses: [],
deny_packages: [],
deny_groups: [],
comment_summary_in_pr: true
}
@@ -70,6 +72,7 @@ test('prints headline as h1', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
@@ -81,6 +84,7 @@ test('only includes "No vulnerabilities or license issues found"-message if both
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
@@ -90,7 +94,12 @@ test('only includes "No vulnerabilities or license issues found"-message if both
test('only includes "No vulnerabilities found"-message if "license_check" is set to false and nothing was found', () => {
const config = {...defaultConfig, license_check: false}
summary.addSummaryToSummary(emptyChanges, emptyInvalidLicenseChanges, config)
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
config
)
const text = core.summary.stringify()
expect(text).toContain('✅ No vulnerabilities found.')
@@ -98,7 +107,12 @@ test('only includes "No vulnerabilities found"-message if "license_check" is set
test('only includes "No license issues found"-message if "vulnerability_check" is set to false and nothing was found', () => {
const config = {...defaultConfig, vulnerability_check: false}
summary.addSummaryToSummary(emptyChanges, emptyInvalidLicenseChanges, config)
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
config
)
const text = core.summary.stringify()
expect(text).toContain('✅ No license issues found.')
@@ -108,6 +122,7 @@ test('groups dependencies with empty manifest paths together', () => {
summary.addSummaryToSummary(
changesWithEmptyManifests,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
summary.addScannedDependencies(changesWithEmptyManifests)
@@ -124,6 +139,7 @@ test('does not include status section if nothing was found', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
@@ -142,7 +158,12 @@ test('includes count and status icons for all findings', () => {
unlicensed: [createTestChange(), createTestChange(), createTestChange()]
}
summary.addSummaryToSummary(vulnerabilities, licenseIssues, defaultConfig)
summary.addSummaryToSummary(
vulnerabilities,
licenseIssues,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
expect(text).toContain('❌ 2 vulnerable package(s)')
@@ -159,6 +180,7 @@ test('uses checkmarks for license issues if only vulnerabilities were found', ()
summary.addSummaryToSummary(
vulnerabilities,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
@@ -178,7 +200,12 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
unlicensed: []
}
summary.addSummaryToSummary(emptyChanges, licenseIssues, defaultConfig)
summary.addSummaryToSummary(
emptyChanges,
licenseIssues,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
expect(text).toContain('✅ 0 vulnerable package(s)')
+6
View File
@@ -47,6 +47,12 @@ inputs:
comment-summary-in-pr:
description: A boolean to determine if the report should be posted as a comment in the PR itself. Setting this to true requires you to give the workflow the write permissions for pull-requests
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
required: false
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+3913 -2155
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+28
View File
@@ -230,3 +230,31 @@ jobs:
comment-summary-in-pr: true
license-check: false
```
## Exclude dependencies from their name or groups
Using the `deny-packages` option you can exclude dependencies by their PURL. You can add multiple values separated by a commas.
Using the `deny-groups` option you can exclude dependencies by their group name/namespace. You can add multiple values separated by a comma.
In this example, we are excluding `pkg:maven/org.apache.logging.log4j:log4j-api` and `pkg:maven/org.apache.logging.log4j/log4j-core` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
```
+1984 -1206
View File
File diff suppressed because it is too large Load Diff
+13 -15
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.0.6",
"version": "3.0.7",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -27,12 +27,11 @@
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^4.1.1",
"@octokit/plugin-retry": "^5.0.4",
"@octokit/request-error": "^2.1.0",
"ansi-styles": "^6.2.1",
"got": "^12.6.0",
"nodemon": "^2.0.22",
"octokit": "^2.0.16",
"got": "^13.0.0",
"octokit": "^2.1.0",
"packageurl-js": "^1.0.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
@@ -41,22 +40,21 @@
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.34",
"@typescript-eslint/eslint-plugin": "^5.48.1",
"@typescript-eslint/parser": "^5.48.0",
"@types/node": "^16.18.38",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^5.59.8",
"@typescript-eslint/parser": "^5.59.8",
"@typescript-eslint/eslint-plugin": "^6.2.0",
"@typescript-eslint/parser": "^6.2.1",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.41.0",
"eslint-plugin-github": "^4.7.0",
"eslint-plugin-jest": "^27.2.1",
"eslint": "^8.44.0",
"eslint-plugin-github": "^4.8.0",
"eslint-plugin-jest": "^27.2.2",
"eslint-plugin-prettier": "^5.0.0",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.22",
"prettier": "2.8.8",
"nodemon": "^3.0.1",
"prettier": "3.0.1",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
}
+7 -3
View File
@@ -6,7 +6,7 @@
* npx ts-node scripts/create_summary.ts
*/
import {Changes, ConfigurationOptions} from '../src/schemas'
import {Change, Changes, ConfigurationOptions} from '../src/schemas'
import {createTestChange} from '../__tests__/fixtures/create-test-change'
import {InvalidLicenseChanges} from '../src/licenses'
import * as fs from 'fs'
@@ -22,6 +22,8 @@ const defaultConfig: ConfigurationOptions = {
allow_ghsas: [],
allow_licenses: ['MIT'],
deny_licenses: [],
deny_packages: [],
deny_groups: [],
allow_dependencies_licenses: [
'pkg:npm/express@4.17.1',
'pkg:pip/requests',
@@ -44,6 +46,7 @@ const createNonIssueSummary = async (): Promise<void> => {
await createSummary(
[],
{forbidden: [], unresolved: [], unlicensed: []},
[],
defaultConfig,
'non-issue-summary.md'
)
@@ -85,16 +88,17 @@ const createFullSummary = async (): Promise<void> => {
]
}
await createSummary(changes, licenses, defaultConfig, 'full-summary.md')
await createSummary(changes, licenses, [], defaultConfig, 'full-summary.md')
}
async function createSummary(
vulnerabilities: Changes,
licenseIssues: InvalidLicenseChanges,
denied: Change[],
config: ConfigurationOptions,
fileName: string
): Promise<void> {
summary.addSummaryToSummary(vulnerabilities, licenseIssues, config)
summary.addSummaryToSummary(vulnerabilities, licenseIssues, denied, config)
summary.addChangeVulnerabilitiesToSummary(
vulnerabilities,
config.fail_on_severity
+2 -2
View File
@@ -74,8 +74,8 @@ async function findCommentByMarker(
)
for await (const {data: comments} of commentsIterator) {
const existingComment = comments.find(comment =>
comment.body?.includes(commentBodyIncludes)
const existingComment = comments.find(
comment => comment.body?.includes(commentBodyIncludes)
)
if (existingComment) return existingComment.id
}
+7 -1
View File
@@ -33,6 +33,8 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const allow_dependencies_licenses = parseList(
getOptionalInput('allow-dependencies-licenses')
)
const deny_packages = parseList(getOptionalInput('deny-packages'))
const deny_groups = parseList(getOptionalInput('deny-groups'))
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const license_check = getOptionalBoolean('license-check')
const vulnerability_check = getOptionalBoolean('vulnerability-check')
@@ -49,6 +51,8 @@ function readInlineConfig(): ConfigurationOptionsPartial {
fail_on_scopes,
allow_licenses,
deny_licenses,
deny_packages,
deny_groups,
allow_dependencies_licenses,
allow_ghsas,
license_check,
@@ -137,7 +141,9 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
'deny-licenses',
'fail-on-scopes',
'allow-ghsas',
'allow-dependencies-licenses'
'allow-dependencies-licenses',
'deny-packages',
'deny-groups'
]
for (const key of Object.keys(data)) {
+42
View File
@@ -0,0 +1,42 @@
import {Change} from './schemas'
import * as core from '@actions/core'
export async function getDeniedChanges(
changes: Change[],
deniedPackages: string[],
deniedGroups: string[]
): Promise<Change[]> {
const changesDenied: Change[] = []
let failed = false
for (const change of changes) {
change.name = change.name.toLowerCase()
const packageUrl = change.package_url.toLowerCase().split('@')[0]
if (deniedPackages) {
for (const denied of deniedPackages) {
if (packageUrl === denied.split('@')[0].toLowerCase()) {
changesDenied.push(change)
failed = true
}
}
}
if (deniedGroups) {
for (const denied of deniedGroups) {
if (packageUrl.startsWith(denied.toLowerCase())) {
changesDenied.push(change)
failed = true
}
}
}
}
if (failed) {
core.setFailed('Dependency review detected denied packages.')
} else {
core.info('Dependency review did not detect any denied packages')
}
return changesDenied
}
+32 -1
View File
@@ -3,7 +3,7 @@ import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, Severity, Changes} from './schemas'
import {Change, Severity, Changes, ConfigurationOptions} from './schemas'
import {readConfig} from '../src/config'
import {
filterChangesBySeverity,
@@ -16,6 +16,7 @@ import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
import {commentPr} from './comment-pr'
import {getDeniedChanges} from './deny'
async function run(): Promise<void> {
try {
@@ -63,9 +64,19 @@ async function run(): Promise<void> {
}
)
core.debug(`Filtered Changes: ${JSON.stringify(filteredChanges)}`)
core.debug(`Config Deny Packages: ${JSON.stringify(config)}`)
const deniedChanges = await getDeniedChanges(
filteredChanges,
config.deny_packages,
config.deny_groups
)
summary.addSummaryToSummary(
vulnerableChanges,
invalidLicenseChanges,
deniedChanges,
config
)
@@ -81,6 +92,10 @@ async function run(): Promise<void> {
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges)
}
if (config.deny_packages || config.deny_groups) {
summary.addDeniedToSummary(deniedChanges)
printDeniedDependencies(deniedChanges, config)
}
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
@@ -239,4 +254,20 @@ function printScannedDependencies(changes: Changes): void {
})
}
function printDeniedDependencies(
changes: Change[],
config: ConfigurationOptions
): void {
core.group('Denied', async () => {
for (const denied of config.deny_packages) {
core.info(`Config: ${denied}`)
}
for (const change of changes) {
core.info(`Change: ${change.name}@${change.version} is denied`)
core.info(`Change: ${change.package_url} is denied`)
}
})
}
run()
+2
View File
@@ -42,6 +42,8 @@ export const ConfigurationOptionsSchema = z
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
deny_packages: z.array(z.string()).default([]),
deny_groups: z.array(z.string()).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),
+30 -2
View File
@@ -1,5 +1,5 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Changes} from './schemas'
import {ConfigurationOptions, Changes, Change} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
@@ -13,13 +13,15 @@ const icons = {
export function addSummaryToSummary(
vulnerableChanges: Changes,
invalidLicenseChanges: InvalidLicenseChanges,
deniedChanges: Changes,
config: ConfigurationOptions
): void {
core.summary.addHeading('Dependency Review', 1)
if (
vulnerableChanges.length === 0 &&
countLicenseIssues(invalidLicenseChanges) === 0
countLicenseIssues(invalidLicenseChanges) === 0 &&
deniedChanges.length === 0
) {
if (!config.license_check) {
core.summary.addRaw(`${icons.check} No vulnerabilities found.`)
@@ -56,6 +58,13 @@ export function addSummaryToSummary(
invalidLicenseChanges.unlicensed.length
} package(s) with unknown licenses.`
]
: []),
...(deniedChanges.length > 0
? [
`${checkOrWarnIcon(deniedChanges.length)} ${
deniedChanges.length
} package(s) denied.`
]
: [])
])
.addRaw('See the Details below.')
@@ -248,6 +257,25 @@ function countLicenseIssues(
)
}
export function addDeniedToSummary(deniedChanges: Change[]): void {
if (deniedChanges.length === 0) {
return
}
core.summary.addHeading('Denied dependencies', 2)
for (const change of deniedChanges) {
core.summary.addHeading(`<em>Denied dependencies</em>`, 4)
core.summary.addTable([
['Package', 'Version', 'License'],
[
renderUrl(change.source_repository_url, change.name),
change.version,
change.license || ''
]
])
}
}
function checkOrFailIcon(count: number): string {
return count === 0 ? icons.check : icons.cross
}