Compare commits

...

96 Commits

Author SHA1 Message Date
Sarah Aladetan 2b96ea7f03 Bump version to 2.2.0
We've added filtering by dependency scopes
2022-09-20 13:06:20 -07:00
Sarah Aladetan 4300ce8d38 Merge pull request #243 from actions/sarahkemi/filter-dev-deps
Filter blocking dependency changes by scopes
2022-09-20 16:05:19 -04:00
Sarah Aladetan de48c615a3 build and package scope filtering 2022-09-20 15:18:31 +00:00
Federico Builes fd959624bf Merge pull request #245 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.38.0
Bump @typescript-eslint/eslint-plugin from 5.37.0 to 5.38.0
2022-09-20 07:59:56 +02:00
Federico Builes 11dd186eb0 Merge pull request #246 from actions/dependabot/npm_and_yarn/got-12.5.0
Bump got from 12.4.1 to 12.5.0
2022-09-20 07:59:44 +02:00
dependabot[bot] 1ab05cf855 Bump @typescript-eslint/eslint-plugin from 5.37.0 to 5.38.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.37.0 to 5.38.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.38.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-20 05:54:32 +00:00
dependabot[bot] 7d7d5e7c84 Bump got from 12.4.1 to 12.5.0
Bumps [got](https://github.com/sindresorhus/got) from 12.4.1 to 12.5.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.4.1...v12.5.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-20 05:54:28 +00:00
Federico Builes 8a8fa8bd07 Merge pull request #244 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.38.0
Bump @typescript-eslint/parser from 5.37.0 to 5.38.0
2022-09-20 07:53:39 +02:00
dependabot[bot] 06daf8e801 Bump @typescript-eslint/parser from 5.37.0 to 5.38.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.37.0 to 5.38.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.38.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-20 01:31:24 +00:00
Federico Builes fc4fb55b25 Merge pull request #241 from actions/dependabot/npm_and_yarn/nodemon-2.0.20
Bump nodemon from 2.0.19 to 2.0.20
2022-09-19 07:38:12 +02:00
dependabot[bot] 31c132fdca Bump nodemon from 2.0.19 to 2.0.20
Bumps [nodemon](https://github.com/remy/nodemon) from 2.0.19 to 2.0.20.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v2.0.19...v2.0.20)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-19 01:55:04 +00:00
Sarah Aladetan 10bc05df70 ensure scope filtering is backward compatible with enterprise rest api versions 2022-09-16 19:13:58 +00:00
Sarah Aladetan e641ee9a41 update readme with notes on dependency scopes 2022-09-16 16:45:59 +00:00
Federico Builes eaeaeb3d57 Merge pull request #239 from actions/dependabot/npm_and_yarn/types/node-16.11.59
Bump @types/node from 16.11.58 to 16.11.59
2022-09-16 13:55:02 +02:00
Federico Builes 1eaf30e6eb Merge pull request #240 from actions/hm/fix-scan_pr
Fix passing repo-token input in scan_pr script
2022-09-16 13:50:52 +02:00
Federico Builes 5da3462152 Explain why we mangle dashed variables. 2022-09-16 13:47:16 +02:00
Sarah Aladetan 6fa5a8f9c0 add fail-on-scopes input to action config 2022-09-15 20:07:28 +00:00
Sarah Aladetan 0d23c39a5d filter by scope in action 2022-09-15 20:03:27 +00:00
Sarah Aladetan 6549b27685 add configuration for scopes to fail on 2022-09-15 18:48:58 +00:00
Sarah Aladetan f4b16c52e5 add method to filter changes by given scopes 2022-09-15 18:00:07 +00:00
Sarah Aladetan 1a7a37c468 add scope to change schema 2022-09-15 17:53:34 +00:00
Henri Maurer 38b459efad Fix passing repo-token input in scan_pr script 2022-09-15 10:09:46 +00:00
dependabot[bot] 6410b2cdd2 Bump @types/node from 16.11.58 to 16.11.59
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.58 to 16.11.59.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-14 02:00:08 +00:00
Federico Builes fd3a3b1051 Merge pull request #236 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.37.0
Bump @typescript-eslint/parser from 5.36.2 to 5.37.0
2022-09-13 07:16:16 +02:00
dependabot[bot] 6771e49f11 Bump @typescript-eslint/parser from 5.36.2 to 5.37.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.36.2 to 5.37.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.37.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-13 05:14:03 +00:00
Federico Builes c7c07e1117 Merge pull request #237 from actions/dependabot/npm_and_yarn/eslint-8.23.1
Bump eslint from 8.23.0 to 8.23.1
2022-09-13 07:13:17 +02:00
Federico Builes 59fdb0cce7 Merge pull request #238 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.37.0
Bump @typescript-eslint/eslint-plugin from 5.36.2 to 5.37.0
2022-09-13 07:13:03 +02:00
dependabot[bot] 950228f7f7 Bump @typescript-eslint/eslint-plugin from 5.36.2 to 5.37.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.36.2 to 5.37.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.37.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-13 03:40:44 +00:00
dependabot[bot] 6973819203 Bump eslint from 8.23.0 to 8.23.1
Bumps [eslint](https://github.com/eslint/eslint) from 8.23.0 to 8.23.1.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.23.0...v8.23.1)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-13 03:40:27 +00:00
Federico Builes eee2e3260e Merge pull request #235 from actions/dependabot/npm_and_yarn/ansi-styles-6.1.1
Bump ansi-styles from 6.1.0 to 6.1.1
2022-09-12 06:57:39 +02:00
Federico Builes 7eeddef885 adding dist 2022-09-12 06:56:41 +02:00
Federico Builes 8c58cdad09 Merge branch 'main' into dependabot/npm_and_yarn/ansi-styles-6.1.1 2022-09-12 06:56:12 +02:00
Federico Builes 380290a89b Merge pull request #234 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.0.4
Bump eslint-plugin-jest from 27.0.2 to 27.0.4
2022-09-12 06:54:43 +02:00
Federico Builes 50c3ed0ba6 Merge pull request #233 from actions/dependabot/npm_and_yarn/zod-3.19.1
Bump zod from 3.19.0 to 3.19.1
2022-09-12 06:54:18 +02:00
Federico Builes 0455501026 adding dist 2022-09-12 06:54:07 +02:00
dependabot[bot] bac3f038ac Bump ansi-styles from 6.1.0 to 6.1.1
Bumps [ansi-styles](https://github.com/chalk/ansi-styles) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/chalk/ansi-styles/releases)
- [Commits](https://github.com/chalk/ansi-styles/compare/v6.1.0...v6.1.1)

---
updated-dependencies:
- dependency-name: ansi-styles
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-12 01:55:42 +00:00
dependabot[bot] 2d81062605 Bump eslint-plugin-jest from 27.0.2 to 27.0.4
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.0.2 to 27.0.4.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.0.2...v27.0.4)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-12 01:55:29 +00:00
dependabot[bot] 2ae4b932b7 Bump zod from 3.19.0 to 3.19.1
Bumps [zod](https://github.com/colinhacks/zod) from 3.19.0 to 3.19.1.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.19.0...v3.19.1)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-12 01:54:09 +00:00
Federico Builes c7d4075ae0 Merge pull request #232 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.0.2
Bump eslint-plugin-jest from 27.0.1 to 27.0.2
2022-09-09 08:45:35 +02:00
Federico Builes 49a0208abf Merge pull request #231 from actions/dependabot/npm_and_yarn/typescript-4.8.3
Bump typescript from 4.8.2 to 4.8.3
2022-09-09 08:45:23 +02:00
dependabot[bot] 94941958fb Bump eslint-plugin-jest from 27.0.1 to 27.0.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.0.1 to 27.0.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.0.1...v27.0.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-09 01:30:41 +00:00
dependabot[bot] 2764e60363 Bump typescript from 4.8.2 to 4.8.3
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.8.2 to 4.8.3.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.8.2...v4.8.3)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-09 01:29:54 +00:00
Federico Builes bcd1b9ab86 Merge pull request #230 from actions/dependabot/npm_and_yarn/types/node-16.11.58
Bump @types/node from 16.11.57 to 16.11.58
2022-09-08 12:02:31 +02:00
dependabot[bot] d96759fedc Bump @types/node from 16.11.57 to 16.11.58
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.57 to 16.11.58.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-08 01:32:47 +00:00
Federico Builes bfd72e7da2 Merge pull request #229 from actions/dependabot/npm_and_yarn/zod-3.19.0
Bump zod from 3.18.0 to 3.19.0
2022-09-07 07:50:34 +02:00
Federico Builes d8efcf0c1f updating dist files 2022-09-07 07:47:22 +02:00
dependabot[bot] 3b74514266 Bump zod from 3.18.0 to 3.19.0
Bumps [zod](https://github.com/colinhacks/zod) from 3.18.0 to 3.19.0.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.18.0...v3.19.0)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-07 01:30:01 +00:00
Federico Builes 7a364ecd6b Merge pull request #226 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.36.2
Bump @typescript-eslint/eslint-plugin from 5.36.1 to 5.36.2
2022-09-06 09:29:02 +02:00
dependabot[bot] 435083feb7 Bump @typescript-eslint/eslint-plugin from 5.36.1 to 5.36.2
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.36.1 to 5.36.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.2/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-06 07:28:29 +00:00
Federico Builes 781a55eaaa Merge pull request #227 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.36.2
Bump @typescript-eslint/parser from 5.36.1 to 5.36.2
2022-09-06 09:27:33 +02:00
dependabot[bot] 335c64c139 Bump @typescript-eslint/parser from 5.36.1 to 5.36.2
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.36.1 to 5.36.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.2/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-06 01:29:26 +00:00
Federico Builes af9a4fa160 Merge pull request #225 from actions/dependabot/npm_and_yarn/got-12.4.1
Bump got from 12.3.1 to 12.4.1
2022-09-05 15:47:15 +02:00
Federico Builes 3e04d4bc87 Merge pull request #224 from actions/dependabot/npm_and_yarn/types/node-16.11.57
Bump @types/node from 16.11.56 to 16.11.57
2022-09-05 15:47:07 +02:00
dependabot[bot] be076ebeca Bump got from 12.3.1 to 12.4.1
Bumps [got](https://github.com/sindresorhus/got) from 12.3.1 to 12.4.1.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.3.1...v12.4.1)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-05 12:50:09 +00:00
dependabot[bot] b74c52c335 Bump @types/node from 16.11.56 to 16.11.57
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.56 to 16.11.57.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-05 12:49:27 +00:00
Federico Builes 2233eb2b88 Merge pull request #222 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.36.1
Bump @typescript-eslint/parser from 5.36.0 to 5.36.1
2022-08-31 08:11:10 +02:00
dependabot[bot] ca11176434 Bump @typescript-eslint/parser from 5.36.0 to 5.36.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.36.0 to 5.36.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-31 06:09:50 +00:00
Federico Builes c8f5c5518e Merge pull request #221 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.36.1
Bump @typescript-eslint/eslint-plugin from 5.36.0 to 5.36.1
2022-08-31 08:09:04 +02:00
dependabot[bot] 469156603d Bump @typescript-eslint/eslint-plugin from 5.36.0 to 5.36.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.36.0 to 5.36.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-31 02:28:29 +00:00
Federico Builes 6b1d7e7207 Merge pull request #220 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.36.0
Bump @typescript-eslint/eslint-plugin from 5.35.1 to 5.36.0
2022-08-30 08:23:32 +02:00
dependabot[bot] a57a1dd454 Bump @typescript-eslint/eslint-plugin from 5.35.1 to 5.36.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.35.1 to 5.36.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-30 06:13:21 +00:00
Federico Builes 0e8bd1f46f Merge pull request #219 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.36.0
Bump @typescript-eslint/parser from 5.35.1 to 5.36.0
2022-08-30 08:12:25 +02:00
dependabot[bot] dd931c7005 Bump @typescript-eslint/parser from 5.35.1 to 5.36.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.35.1 to 5.36.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-30 01:39:32 +00:00
Federico Builes d8d78b6ace Merge pull request #218 from actions/dependabot/npm_and_yarn/eslint-8.23.0
Bump eslint from 8.22.0 to 8.23.0
2022-08-29 10:50:27 +02:00
dependabot[bot] a1eafc653a Bump eslint from 8.22.0 to 8.23.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.22.0 to 8.23.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.22.0...v8.23.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-29 08:49:31 +00:00
Federico Builes 35b0f5ded9 Merge pull request #217 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.0.1
Bump eslint-plugin-jest from 26.8.7 to 27.0.1
2022-08-29 10:49:01 +02:00
Federico Builes 5a25f0b1b3 Merge pull request #215 from actions/dependabot/npm_and_yarn/typescript-4.8.2
Bump typescript from 4.7.4 to 4.8.2
2022-08-29 10:31:12 +02:00
dependabot[bot] 88dd76a7ef Bump eslint-plugin-jest from 26.8.7 to 27.0.1
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.8.7 to 27.0.1.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.8.7...v27.0.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-29 01:55:23 +00:00
dependabot[bot] b1427bfe58 Bump typescript from 4.7.4 to 4.8.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.7.4 to 4.8.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.7.4...v4.8.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-26 01:36:36 +00:00
Federico Builes 0d079c6553 Merge pull request #214 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.35.1
Bump @typescript-eslint/parser from 5.34.0 to 5.35.1
2022-08-25 07:54:11 +02:00
dependabot[bot] ce3b0c8116 Bump @typescript-eslint/parser from 5.34.0 to 5.35.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.34.0 to 5.35.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.35.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-25 05:53:10 +00:00
Federico Builes d01dd09c36 Merge pull request #213 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.35.1
Bump @typescript-eslint/eslint-plugin from 5.34.0 to 5.35.1
2022-08-25 07:52:20 +02:00
dependabot[bot] 21d1a080df Bump @typescript-eslint/eslint-plugin from 5.34.0 to 5.35.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.34.0 to 5.35.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.35.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-25 05:49:54 +00:00
Federico Builes c869fcfa38 Merge pull request #212 from actions/dependabot/npm_and_yarn/types/node-16.11.56
Bump @types/node from 16.11.55 to 16.11.56
2022-08-25 07:49:19 +02:00
dependabot[bot] 20229aad71 Bump @types/node from 16.11.55 to 16.11.56
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.55 to 16.11.56.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-25 01:27:41 +00:00
Federico Builes 65d6c26087 Merge pull request #211 from actions/dependabot/npm_and_yarn/types/node-16.11.55
Bump @types/node from 16.11.54 to 16.11.55
2022-08-24 09:00:15 +02:00
dependabot[bot] 8b6795d89d Bump @types/node from 16.11.54 to 16.11.55
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.54 to 16.11.55.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 01:40:56 +00:00
Federico Builes 030c97ab49 Merge pull request #210 from actions/dependabot/npm_and_yarn/types/node-16.11.54
Bump @types/node from 16.11.52 to 16.11.54
2022-08-23 08:39:29 +02:00
Federico Builes dc44a85a96 Merge pull request #208 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.34.0
Bump @typescript-eslint/parser from 5.33.1 to 5.34.0
2022-08-23 08:38:58 +02:00
dependabot[bot] 9cdfbb83fa Bump @types/node from 16.11.52 to 16.11.54
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.52 to 16.11.54.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 06:38:16 +00:00
dependabot[bot] b1f8412445 Bump @typescript-eslint/parser from 5.33.1 to 5.34.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.33.1 to 5.34.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.34.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 06:38:02 +00:00
Federico Builes 0d02efb12c Merge pull request #207 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.34.0
Bump @typescript-eslint/eslint-plugin from 5.33.1 to 5.34.0
2022-08-23 08:37:24 +02:00
dependabot[bot] 2a09e52261 Bump @typescript-eslint/eslint-plugin from 5.33.1 to 5.34.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.33.1 to 5.34.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.34.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 01:35:02 +00:00
Federico Builes e86dfd8cc0 Merge pull request #206 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-26.8.7
Bump eslint-plugin-jest from 26.8.3 to 26.8.7
2022-08-22 08:10:22 +02:00
Federico Builes a39d9063b3 Merge pull request #205 from actions/dependabot/npm_and_yarn/types/node-16.11.52
Bump @types/node from 16.11.49 to 16.11.52
2022-08-22 08:09:56 +02:00
dependabot[bot] 9809e06c2d Bump eslint-plugin-jest from 26.8.3 to 26.8.7
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.8.3 to 26.8.7.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.8.3...v26.8.7)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-22 01:51:45 +00:00
dependabot[bot] 70bbe4186e Bump @types/node from 16.11.49 to 16.11.52
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.49 to 16.11.52.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-22 01:51:24 +00:00
Federico Builes 23d1ffffb6 Bumping to 2.1.0. 2022-08-18 16:22:01 +02:00
Federico Builes d792f3e8ca Add a reminder to update the version number in package.json
when creating a new release.
2022-08-18 16:20:03 +02:00
Federico Builes 5da7945e2b Fixing lint/dist. 2022-08-18 16:15:03 +02:00
Federico Builes a8e7c378a3 Merge pull request #181 from tspascoal/add-summary
Show vulnerabities and license information on the job summary.
2022-08-18 16:14:27 +02:00
Federico Builes 0e0d6ec5d6 Merge branch 'main' into add-summary 2022-08-18 16:11:15 +02:00
Tiago Pascoal 47f663b6ee update dist after fixing typo 2022-08-07 11:39:10 +00:00
Tiago Pascoal dfcdb87cb3 Fix typo
Co-authored-by: Eric Cornelissen <ericornelissen@gmail.com>
2022-08-07 12:36:42 +01:00
Tiago Pascoal 79f5aede88 Merge branch 'main' into add-summary 2022-08-04 16:59:57 +01:00
Tiago Pascoal aef949f026 Show vulnerabities and license information on the job summary.
Users can see the results that were found directly on the job summary

All the results are grouped by manifest.

It shows a table with vulnerable packages, together with package version,
the vulnerabily info and it's severity.

Shows info about package licenses, which packages have a non allowed license,
and the list of packages with unknown licenses.
2022-08-04 15:35:07 +00:00
16 changed files with 998 additions and 649 deletions
+1
View File
@@ -75,6 +75,7 @@ Here are a few things you can do that will increase the likelihood of your pull
## Cutting a new release
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json).
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
+24 -15
View File
@@ -5,8 +5,14 @@ raise an error if any vulnerabilities or invalid licenses are being introduced.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
You can see the results on the job logs
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
or on the job summary
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
## Installation
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
@@ -32,7 +38,7 @@ jobs:
### GitHub Enterprise Server
This action is available in GHES starting with version 3.6. Make sure
This action is available in Enterprise Server starting with version 3.6. Make sure
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
@@ -44,7 +50,6 @@ with the label of any of your runners (the default label
is `self-hosted`):
```yaml
# ...
jobs:
@@ -80,11 +85,14 @@ jobs:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# Possible values in comma separated list: "unknown", "runtime", or "development"
# fail-on-scopes: runtime, development
#
# Possible values: Any available git ref
# base-ref: ${{ github.event.pull_request.base.ref }}
# head-ref: ${{ github.event.pull_request.head.ref }}
#
# You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on GHES.
# You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on Enterprise Server.
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
@@ -114,12 +122,23 @@ This example will only fail on pull requests with `critical` and `high` vulnerab
fail-on-severity: high
```
### Dependency Scoping
By default the action will only fail on `runtime` dependencies that have vulnerabilities or unacceptable licenses, ignoring `development` dependencies. You can override this behavior with the `fail-on-scopes` option, which will allow you to list the specific dependency scopes you care about. The possible values are: `unknown`, `runtime`, and `development`. Note: Filtering by scope will not be supported on Enterprise Server just yet, as the REST API's introduction of `scope` will be released in an upcoming Enterprise Server version. We will treat all dependencies on Enterprise Server as having a `runtime` scope and thus will not be filtered away.
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-scopes: runtime, development
```
### Licenses
You can set the action to fail on pull requests based on the licenses of the dependencies
they introduce. With `allow-licenses` you can define the list of licenses
your repository will accept. Alternatively, you can use `deny-licenses` to only
forbid a subset of licenses. These options are not supported on GHES.
forbid a subset of licenses. These options are not supported on Enterprise Server.
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
@@ -144,7 +163,7 @@ to filter. A couple of examples:
**Important**
<<<<<<< HEAD
- Checking for licenses is not supported on Enterprise Server.
- The action will only accept one of the two parameters; an error will
be raised if you provide both.
- By default both parameters are empty (no license checking is
@@ -152,16 +171,6 @@ to filter. A couple of examples:
- We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
=======
* Checking for licenses is not supported on GHES.
* The action will only accept one of the two parameters; an error will
be raised if you provide both.
* By default both parameters are empty (no license checking is
performed).
* We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
>>>>>>> main
## Blocking pull requests
+20
View File
@@ -13,6 +13,7 @@ function setInput(input: string, value: string) {
function clearInputs() {
const allowedOptions = [
'FAIL-ON-SEVERITY',
'FAIL-ON-SCOPES',
'ALLOW-LICENSES',
'DENY-LICENSES',
'BASE-REF',
@@ -82,3 +83,22 @@ test('it raises an error when no refs are provided and the event is not a pull r
})
).toThrow()
})
test('it defaults to runtime scope', async () => {
const options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime'])
})
test('it parses custom scopes preference', async () => {
setInput('fail-on-scopes', 'runtime, development')
let options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime', 'development'])
clearInputs()
setInput('fail-on-scopes', 'development')
options = readConfig()
expect(options.fail_on_scopes).toEqual(['development'])
})
test('it raises an error when given invalid scope', async () => {
setInput('fail-on-scopes', 'runtime, zombies')
expect(() => readConfig()).toThrow()
})
+16 -1
View File
@@ -1,6 +1,6 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {filterChangesBySeverity} from '../src/filter'
import {filterChangesBySeverity, filterChangesByScopes} from '../src/filter'
let npmChange: Change = {
manifest: 'package.json',
@@ -11,6 +11,7 @@ let npmChange: Change = {
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
@@ -30,6 +31,7 @@ let rubyChange: Change = {
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'development',
vulnerabilities: [
{
severity: 'moderate',
@@ -57,3 +59,16 @@ test('it properly filters changes by severity', async () => {
result = filterChangesBySeverity('critical', changes)
expect(changes).toEqual([npmChange, rubyChange])
})
test('it properly filters changes by scope', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesByScopes(['runtime'], changes)
expect(result).toEqual([npmChange])
result = filterChangesByScopes(['development'], changes)
expect(result).toEqual([rubyChange])
result = filterChangesByScopes(['runtime', 'development'], changes)
expect(result).toEqual([npmChange, rubyChange])
})
+2
View File
@@ -11,6 +11,7 @@ let npmChange: Change = {
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
@@ -30,6 +31,7 @@ let rubyChange: Change = {
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
+4
View File
@@ -10,6 +10,10 @@ inputs:
description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
required: false
default: 'low'
fail-on-scopes:
description: Dependency scopes to block PRs on. Comma-separated list. Possible values are 'unknown', 'runtime', and 'development' (e.g. "runtime, development")
required: false
default: 'runtime'
base-ref:
description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
required: false
Generated Vendored
+399 -164
View File
@@ -201,6 +201,7 @@ const request_error_1 = __nccwpck_require__(537);
const config_1 = __nccwpck_require__(6373);
const filter_1 = __nccwpck_require__(8752);
const licenses_1 = __nccwpck_require__(3247);
const summary = __importStar(__nccwpck_require__(8608));
const git_refs_1 = __nccwpck_require__(1086);
function run() {
return __awaiter(this, void 0, void 0, function* () {
@@ -219,21 +220,26 @@ function run() {
allow: config.allow_licenses,
deny: config.deny_licenses
};
const filteredChanges = (0, filter_1.filterChangesBySeverity)(minSeverity, changes);
for (const change of filteredChanges) {
if (change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0) {
const scopes = config.fail_on_scopes;
const scopedChanges = (0, filter_1.filterChangesByScopes)(scopes, changes);
const addedChanges = (0, filter_1.filterChangesBySeverity)(minSeverity, scopedChanges).filter(change => change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0);
const [licenseErrors, unknownLicenses] = (0, licenses_1.getDeniedLicenseChanges)(scopedChanges, licenses);
summary.addSummaryToSummary(addedChanges, licenseErrors, unknownLicenses);
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change);
failed = true;
}
failed = true;
}
const [licenseErrors, unknownLicenses] = (0, licenses_1.getDeniedLicenseChanges)(changes, licenses);
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity || '');
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors);
core.setFailed('Dependency review detected incompatible licenses.');
}
printNullLicenses(unknownLicenses);
summary.addLicensesToSummary(licenseErrors, unknownLicenses, config);
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.');
}
@@ -257,6 +263,9 @@ function run() {
}
}
}
finally {
yield core.summary.write();
}
});
}
function printChangeVulnerabilities(change) {
@@ -326,9 +335,10 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SEVERITIES = void 0;
exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SCOPES = exports.SEVERITIES = void 0;
const z = __importStar(__nccwpck_require__(3301));
exports.SEVERITIES = ['critical', 'high', 'moderate', 'low'];
exports.SCOPES = ['unknown', 'runtime', 'development'];
exports.ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
manifest: z.string(),
@@ -338,9 +348,10 @@ exports.ChangeSchema = z.object({
package_url: z.string(),
license: z.string().nullable(),
source_repository_url: z.string().nullable(),
scope: z.enum(exports.SCOPES).optional(),
vulnerabilities: z
.array(z.object({
severity: z.enum(['critical', 'high', 'moderate', 'low']),
severity: z.enum(exports.SEVERITIES),
advisory_ghsa_id: z.string(),
advisory_summary: z.string(),
advisory_url: z.string()
@@ -356,6 +367,7 @@ exports.PullRequestSchema = z.object({
exports.ConfigurationOptionsSchema = z
.object({
fail_on_severity: z.enum(exports.SEVERITIES).default('low'),
fail_on_scopes: z.array(z.enum(exports.SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).default([]),
deny_licenses: z.array(z.string()).default([]),
base_ref: z.string(),
@@ -366,6 +378,156 @@ exports.ConfigurationOptionsSchema = z
exports.ChangesSchema = z.array(exports.ChangeSchema);
/***/ }),
/***/ 8608:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.addLicensesToSummary = exports.addChangeVulnerabilitiesToSummary = exports.addSummaryToSummary = void 0;
const core = __importStar(__nccwpck_require__(2186));
function addSummaryToSummary(addedPackages, licenseErrors, unknownLicenses) {
core.summary
.addHeading('Dependency Review')
.addRaw(`We found ${addedPackages.length} vulnerable package(s), ${licenseErrors.length} package(s) with incompatible licenses, and ${unknownLicenses.length} package(s) with unknown licenses.`);
}
exports.addSummaryToSummary = addSummaryToSummary;
function addChangeVulnerabilitiesToSummary(addedPackages, severity) {
const rows = [];
const manifests = getManifests(addedPackages);
core.summary
.addHeading('Vulnerabilities')
.addQuote(`Vulnerabilites were filtered by mininum severity <strong>${severity}</strong>.`);
if (addedPackages.length === 0) {
core.summary.addQuote('No vulnerabilities found in added packages.');
return;
}
for (const manifest of manifests) {
for (const change of addedPackages.filter(pkg => pkg.manifest === manifest)) {
let previous_package = '';
let previous_version = '';
for (const vuln of change.vulnerabilities) {
const sameAsPrevious = previous_package === change.name &&
previous_version === change.version;
if (!sameAsPrevious) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version,
renderUrl(vuln.advisory_url, vuln.advisory_summary),
vuln.severity
]);
}
else {
rows.push([
{ data: '', colspan: '2' },
renderUrl(vuln.advisory_url, vuln.advisory_summary),
vuln.severity
]);
}
previous_package = change.name;
previous_version = change.version;
}
}
core.summary.addHeading(`<em>${manifest}</em>`, 3).addTable([
[
{ data: 'Name', header: true },
{ data: 'Version', header: true },
{ data: 'Vulnerability', header: true },
{ data: 'Severity', header: true }
],
...rows
]);
}
}
exports.addChangeVulnerabilitiesToSummary = addChangeVulnerabilitiesToSummary;
function addLicensesToSummary(licenseErrors, unknownLicenses, config) {
core.summary.addHeading('Licenses');
if (config.allow_licenses && config.allow_licenses.length > 0) {
core.summary.addQuote(`<strong>Allowed Licenses</strong>: ${config.allow_licenses.join(', ')}`);
}
if (config.deny_licenses && config.deny_licenses.length > 0) {
core.summary.addQuote(`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`);
}
if (licenseErrors.length === 0 && unknownLicenses.length === 0) {
core.summary.addQuote('No license violations detected.');
return;
}
if (licenseErrors.length > 0) {
const rows = [];
const manifests = getManifests(licenseErrors);
core.summary.addHeading('Incompatible Licenses', 3).addSeparator();
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4);
for (const change of licenseErrors.filter(pkg => pkg.manifest === manifest)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version,
change.license || ''
]);
}
core.summary.addTable([['Package', 'Version', 'License'], ...rows]);
}
}
else {
core.summary.addQuote('No license violations detected.');
}
core.debug(`found ${unknownLicenses.length} unknown licenses`);
if (unknownLicenses.length > 0) {
const rows = [];
const manifests = getManifests(unknownLicenses);
core.debug(`found ${manifests.entries.length} manifests for unknown licenses`);
core.summary.addHeading('Unknown Licenses', 3).addSeparator();
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4);
for (const change of unknownLicenses.filter(pkg => pkg.manifest === manifest)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version
]);
}
core.summary.addTable([['Package', 'Version'], ...rows]);
}
}
}
exports.addLicensesToSummary = addLicensesToSummary;
function getManifests(changes) {
return new Set(changes.flatMap(c => c.manifest));
}
function renderUrl(url, text) {
if (url) {
return `<a href="${url}">${text}</a>`;
}
else {
return text;
}
}
/***/ }),
/***/ 7351:
@@ -11486,8 +11648,7 @@ function wrappy (fn, cb) {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.getErrorMap = exports.setErrorMap = exports.defaultErrorMap = exports.ZodError = exports.quotelessJson = exports.ZodIssueCode = void 0;
const parseUtil_1 = __nccwpck_require__(888);
exports.ZodError = exports.quotelessJson = exports.ZodIssueCode = void 0;
const util_1 = __nccwpck_require__(3985);
exports.ZodIssueCode = util_1.util.arrayToEnum([
"invalid_type",
@@ -11588,7 +11749,7 @@ class ZodError extends Error {
return this.message;
}
get message() {
return JSON.stringify(this.issues, parseUtil_1.jsonStringifyReplacer, 2);
return JSON.stringify(this.issues, util_1.util.jsonStringifyReplacer, 2);
}
get isEmpty() {
return this.issues.length === 0;
@@ -11616,101 +11777,23 @@ ZodError.create = (issues) => {
const error = new ZodError(issues);
return error;
};
const defaultErrorMap = (issue, _ctx) => {
let message;
switch (issue.code) {
case exports.ZodIssueCode.invalid_type:
if (issue.received === util_1.ZodParsedType.undefined) {
message = "Required";
}
else {
message = `Expected ${issue.expected}, received ${issue.received}`;
}
break;
case exports.ZodIssueCode.invalid_literal:
message = `Invalid literal value, expected ${JSON.stringify(issue.expected, parseUtil_1.jsonStringifyReplacer)}`;
break;
case exports.ZodIssueCode.unrecognized_keys:
message = `Unrecognized key(s) in object: ${util_1.util.joinValues(issue.keys, ", ")}`;
break;
case exports.ZodIssueCode.invalid_union:
message = `Invalid input`;
break;
case exports.ZodIssueCode.invalid_union_discriminator:
message = `Invalid discriminator value. Expected ${util_1.util.joinValues(issue.options)}`;
break;
case exports.ZodIssueCode.invalid_enum_value:
message = `Invalid enum value. Expected ${util_1.util.joinValues(issue.options)}, received '${issue.received}'`;
break;
case exports.ZodIssueCode.invalid_arguments:
message = `Invalid function arguments`;
break;
case exports.ZodIssueCode.invalid_return_type:
message = `Invalid function return type`;
break;
case exports.ZodIssueCode.invalid_date:
message = `Invalid date`;
break;
case exports.ZodIssueCode.invalid_string:
if (typeof issue.validation === "object") {
if ("startsWith" in issue.validation) {
message = `Invalid input: must start with "${issue.validation.startsWith}"`;
}
else if ("endsWith" in issue.validation) {
message = `Invalid input: must end with "${issue.validation.endsWith}"`;
}
else {
util_1.util.assertNever(issue.validation);
}
}
else if (issue.validation !== "regex") {
message = `Invalid ${issue.validation}`;
}
else {
message = "Invalid";
}
break;
case exports.ZodIssueCode.too_small:
if (issue.type === "array")
message = `Array must contain ${issue.inclusive ? `at least` : `more than`} ${issue.minimum} element(s)`;
else if (issue.type === "string")
message = `String must contain ${issue.inclusive ? `at least` : `over`} ${issue.minimum} character(s)`;
else if (issue.type === "number")
message = `Number must be greater than ${issue.inclusive ? `or equal to ` : ``}${issue.minimum}`;
else if (issue.type === "date")
message = `Date must be greater than ${issue.inclusive ? `or equal to ` : ``}${new Date(issue.minimum)}`;
else
message = "Invalid input";
break;
case exports.ZodIssueCode.too_big:
if (issue.type === "array")
message = `Array must contain ${issue.inclusive ? `at most` : `less than`} ${issue.maximum} element(s)`;
else if (issue.type === "string")
message = `String must contain ${issue.inclusive ? `at most` : `under`} ${issue.maximum} character(s)`;
else if (issue.type === "number")
message = `Number must be less than ${issue.inclusive ? `or equal to ` : ``}${issue.maximum}`;
else if (issue.type === "date")
message = `Date must be smaller than ${issue.inclusive ? `or equal to ` : ``}${new Date(issue.maximum)}`;
else
message = "Invalid input";
break;
case exports.ZodIssueCode.custom:
message = `Invalid input`;
break;
case exports.ZodIssueCode.invalid_intersection_types:
message = `Intersection results could not be merged`;
break;
case exports.ZodIssueCode.not_multiple_of:
message = `Number must be a multiple of ${issue.multipleOf}`;
break;
default:
message = _ctx.defaultError;
util_1.util.assertNever(issue);
}
return { message };
/***/ }),
/***/ 9566:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
exports.defaultErrorMap = defaultErrorMap;
let overrideErrorMap = exports.defaultErrorMap;
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.getErrorMap = exports.setErrorMap = exports.defaultErrorMap = void 0;
const en_1 = __importDefault(__nccwpck_require__(468));
exports.defaultErrorMap = en_1.default;
let overrideErrorMap = en_1.default;
function setErrorMap(map) {
overrideErrorMap = map;
}
@@ -11740,6 +11823,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.ZodParsedType = exports.getParsedType = void 0;
__exportStar(__nccwpck_require__(9566), exports);
__exportStar(__nccwpck_require__(888), exports);
__exportStar(__nccwpck_require__(9449), exports);
var util_1 = __nccwpck_require__(3985);
@@ -11768,13 +11852,17 @@ var errorUtil;
/***/ }),
/***/ 888:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.jsonStringifyReplacer = exports.isAsync = exports.isValid = exports.isDirty = exports.isAborted = exports.OK = exports.DIRTY = exports.INVALID = exports.ParseStatus = exports.addIssueToContext = exports.EMPTY_PATH = exports.makeIssue = void 0;
const ZodError_1 = __nccwpck_require__(9892);
exports.isAsync = exports.isValid = exports.isDirty = exports.isAborted = exports.OK = exports.DIRTY = exports.INVALID = exports.ParseStatus = exports.addIssueToContext = exports.EMPTY_PATH = exports.makeIssue = void 0;
const errors_1 = __nccwpck_require__(9566);
const en_1 = __importDefault(__nccwpck_require__(468));
const makeIssue = (params) => {
const { data, path, errorMaps, issueData } = params;
const fullPath = [...path, ...(issueData.path || [])];
@@ -11806,8 +11894,8 @@ function addIssueToContext(ctx, issueData) {
errorMaps: [
ctx.common.contextualErrorMap,
ctx.schemaErrorMap,
ZodError_1.getErrorMap(),
ZodError_1.defaultErrorMap,
errors_1.getErrorMap(),
en_1.default,
].filter((x) => !!x),
});
ctx.common.issues.push(issue);
@@ -11881,13 +11969,6 @@ const isValid = (x) => x.status === "valid";
exports.isValid = isValid;
const isAsync = (x) => typeof Promise !== undefined && x instanceof Promise;
exports.isAsync = isAsync;
const jsonStringifyReplacer = (_, value) => {
if (typeof value === "bigint") {
return value.toString();
}
return value;
};
exports.jsonStringifyReplacer = jsonStringifyReplacer;
/***/ }),
@@ -11965,6 +12046,12 @@ var util;
.join(separator);
}
util.joinValues = joinValues;
util.jsonStringifyReplacer = (_, value) => {
if (typeof value === "bigint") {
return value.toString();
}
return value;
};
})(util = exports.util || (exports.util = {}));
exports.ZodParsedType = util.arrayToEnum([
"string",
@@ -12070,6 +12157,112 @@ __exportStar(__nccwpck_require__(9906), exports);
exports["default"] = mod;
/***/ }),
/***/ 468:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
const util_1 = __nccwpck_require__(3985);
const ZodError_1 = __nccwpck_require__(9892);
const errorMap = (issue, _ctx) => {
let message;
switch (issue.code) {
case ZodError_1.ZodIssueCode.invalid_type:
if (issue.received === util_1.ZodParsedType.undefined) {
message = "Required";
}
else {
message = `Expected ${issue.expected}, received ${issue.received}`;
}
break;
case ZodError_1.ZodIssueCode.invalid_literal:
message = `Invalid literal value, expected ${JSON.stringify(issue.expected, util_1.util.jsonStringifyReplacer)}`;
break;
case ZodError_1.ZodIssueCode.unrecognized_keys:
message = `Unrecognized key(s) in object: ${util_1.util.joinValues(issue.keys, ", ")}`;
break;
case ZodError_1.ZodIssueCode.invalid_union:
message = `Invalid input`;
break;
case ZodError_1.ZodIssueCode.invalid_union_discriminator:
message = `Invalid discriminator value. Expected ${util_1.util.joinValues(issue.options)}`;
break;
case ZodError_1.ZodIssueCode.invalid_enum_value:
message = `Invalid enum value. Expected ${util_1.util.joinValues(issue.options)}, received '${issue.received}'`;
break;
case ZodError_1.ZodIssueCode.invalid_arguments:
message = `Invalid function arguments`;
break;
case ZodError_1.ZodIssueCode.invalid_return_type:
message = `Invalid function return type`;
break;
case ZodError_1.ZodIssueCode.invalid_date:
message = `Invalid date`;
break;
case ZodError_1.ZodIssueCode.invalid_string:
if (typeof issue.validation === "object") {
if ("startsWith" in issue.validation) {
message = `Invalid input: must start with "${issue.validation.startsWith}"`;
}
else if ("endsWith" in issue.validation) {
message = `Invalid input: must end with "${issue.validation.endsWith}"`;
}
else {
util_1.util.assertNever(issue.validation);
}
}
else if (issue.validation !== "regex") {
message = `Invalid ${issue.validation}`;
}
else {
message = "Invalid";
}
break;
case ZodError_1.ZodIssueCode.too_small:
if (issue.type === "array")
message = `Array must contain ${issue.inclusive ? `at least` : `more than`} ${issue.minimum} element(s)`;
else if (issue.type === "string")
message = `String must contain ${issue.inclusive ? `at least` : `over`} ${issue.minimum} character(s)`;
else if (issue.type === "number")
message = `Number must be greater than ${issue.inclusive ? `or equal to ` : ``}${issue.minimum}`;
else if (issue.type === "date")
message = `Date must be greater than ${issue.inclusive ? `or equal to ` : ``}${new Date(issue.minimum)}`;
else
message = "Invalid input";
break;
case ZodError_1.ZodIssueCode.too_big:
if (issue.type === "array")
message = `Array must contain ${issue.inclusive ? `at most` : `less than`} ${issue.maximum} element(s)`;
else if (issue.type === "string")
message = `String must contain ${issue.inclusive ? `at most` : `under`} ${issue.maximum} character(s)`;
else if (issue.type === "number")
message = `Number must be less than ${issue.inclusive ? `or equal to ` : ``}${issue.maximum}`;
else if (issue.type === "date")
message = `Date must be smaller than ${issue.inclusive ? `or equal to ` : ``}${new Date(issue.maximum)}`;
else
message = "Invalid input";
break;
case ZodError_1.ZodIssueCode.custom:
message = `Invalid input`;
break;
case ZodError_1.ZodIssueCode.invalid_intersection_types:
message = `Intersection results could not be merged`;
break;
case ZodError_1.ZodIssueCode.not_multiple_of:
message = `Number must be a multiple of ${issue.multipleOf}`;
break;
default:
message = _ctx.defaultError;
util_1.util.assertNever(issue);
}
return { message };
};
exports["default"] = errorMap;
/***/ }),
/***/ 9335:
@@ -12079,7 +12272,8 @@ exports["default"] = mod;
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports["function"] = exports["enum"] = exports.effect = exports.discriminatedUnion = exports.date = exports.boolean = exports.bigint = exports.array = exports.any = exports.ZodFirstPartyTypeKind = exports.late = exports.ZodSchema = exports.Schema = exports.custom = exports.ZodBranded = exports.BRAND = exports.ZodNaN = exports.ZodDefault = exports.ZodNullable = exports.ZodOptional = exports.ZodTransformer = exports.ZodEffects = exports.ZodPromise = exports.ZodNativeEnum = exports.ZodEnum = exports.ZodLiteral = exports.ZodLazy = exports.ZodFunction = exports.ZodSet = exports.ZodMap = exports.ZodRecord = exports.ZodTuple = exports.ZodIntersection = exports.ZodDiscriminatedUnion = exports.ZodUnion = exports.ZodObject = exports.objectUtil = exports.ZodArray = exports.ZodVoid = exports.ZodNever = exports.ZodUnknown = exports.ZodAny = exports.ZodNull = exports.ZodUndefined = exports.ZodDate = exports.ZodBoolean = exports.ZodBigInt = exports.ZodNumber = exports.ZodString = exports.ZodType = void 0;
exports["void"] = exports.unknown = exports.union = exports.undefined = exports.tuple = exports.transformer = exports.string = exports.strictObject = exports.set = exports.record = exports.promise = exports.preprocess = exports.ostring = exports.optional = exports.onumber = exports.oboolean = exports.object = exports.number = exports.nullable = exports["null"] = exports.never = exports.nativeEnum = exports.nan = exports.map = exports.literal = exports.lazy = exports.intersection = exports["instanceof"] = void 0;
exports.NEVER = exports["void"] = exports.unknown = exports.union = exports.undefined = exports.tuple = exports.transformer = exports.string = exports.strictObject = exports.set = exports.record = exports.promise = exports.preprocess = exports.ostring = exports.optional = exports.onumber = exports.oboolean = exports.object = exports.number = exports.nullable = exports["null"] = exports.never = exports.nativeEnum = exports.nan = exports.map = exports.literal = exports.lazy = exports.intersection = exports["instanceof"] = void 0;
const errors_1 = __nccwpck_require__(9566);
const errorUtil_1 = __nccwpck_require__(2513);
const parseUtil_1 = __nccwpck_require__(888);
const util_1 = __nccwpck_require__(3985);
@@ -12112,7 +12306,7 @@ function processCreateParams(params) {
return {};
const { errorMap, invalid_type_error, required_error, description } = params;
if (errorMap && (invalid_type_error || required_error)) {
throw new Error(`Can't use "invalid" or "required" in conjunction with custom error map.`);
throw new Error(`Can't use "invalid_type_error" or "required_error" in conjunction with custom error map.`);
}
if (errorMap)
return { errorMap: errorMap, description };
@@ -13248,9 +13442,12 @@ class ZodObject extends ZodType {
const { status, ctx } = this._processInputParams(input);
const { shape, keys: shapeKeys } = this._getCached();
const extraKeys = [];
for (const key in ctx.data) {
if (!shapeKeys.includes(key)) {
extraKeys.push(key);
if (!(this._def.catchall instanceof ZodNever &&
this._def.unknownKeys === "strip")) {
for (const key in ctx.data) {
if (!shapeKeys.includes(key)) {
extraKeys.push(key);
}
}
}
const pairs = [];
@@ -13824,6 +14021,9 @@ class ZodTuple extends ZodType {
}
exports.ZodTuple = ZodTuple;
ZodTuple.create = (schemas, params) => {
if (!Array.isArray(schemas)) {
throw new Error("You must pass an array of schemas to z.tuple([ ... ])");
}
return new ZodTuple({
items: schemas,
typeName: ZodFirstPartyTypeKind.ZodTuple,
@@ -14054,8 +14254,8 @@ class ZodFunction extends ZodType {
errorMaps: [
ctx.common.contextualErrorMap,
ctx.schemaErrorMap,
ZodError_1.getErrorMap(),
ZodError_1.defaultErrorMap,
errors_1.getErrorMap(),
errors_1.defaultErrorMap,
].filter((x) => !!x),
issueData: {
code: ZodError_1.ZodIssueCode.invalid_arguments,
@@ -14070,8 +14270,8 @@ class ZodFunction extends ZodType {
errorMaps: [
ctx.common.contextualErrorMap,
ctx.schemaErrorMap,
ZodError_1.getErrorMap(),
ZodError_1.defaultErrorMap,
errors_1.getErrorMap(),
errors_1.defaultErrorMap,
].filter((x) => !!x),
issueData: {
code: ZodError_1.ZodIssueCode.invalid_return_type,
@@ -14141,18 +14341,18 @@ class ZodFunction extends ZodType {
const validatedFunc = this.parse(func);
return validatedFunc;
}
static create(args, returns, params) {
return new ZodFunction({
args: (args
? args
: ZodTuple.create([]).rest(ZodUnknown.create())),
returns: returns || ZodUnknown.create(),
typeName: ZodFirstPartyTypeKind.ZodFunction,
...processCreateParams(params),
});
}
}
exports.ZodFunction = ZodFunction;
ZodFunction.create = (args, returns, params) => {
return new ZodFunction({
args: (args
? args.rest(ZodUnknown.create())
: ZodTuple.create([]).rest(ZodUnknown.create())),
returns: returns || ZodUnknown.create(),
typeName: ZodFirstPartyTypeKind.ZodFunction,
...processCreateParams(params),
});
};
class ZodLazy extends ZodType {
get schema() {
return this._def.getter();
@@ -14610,6 +14810,12 @@ var ZodFirstPartyTypeKind;
ZodFirstPartyTypeKind["ZodPromise"] = "ZodPromise";
ZodFirstPartyTypeKind["ZodBranded"] = "ZodBranded";
})(ZodFirstPartyTypeKind = exports.ZodFirstPartyTypeKind || (exports.ZodFirstPartyTypeKind = {}));
// new approach that works for abstract classes
// but required TS 4.4+
// abstract class Class {
// constructor(..._: any[]) {}
// }
// const instanceOfType = <T extends typeof Class>(
const instanceOfType = (cls, params = {
message: `Input not instance of ${cls.name}`,
}) => exports.custom((data) => data instanceof cls, params, true);
@@ -14685,6 +14891,7 @@ const onumber = () => numberType().optional();
exports.onumber = onumber;
const oboolean = () => booleanType().optional();
exports.oboolean = oboolean;
exports.NEVER = parseUtil_1.INVALID;
/***/ }),
@@ -14726,11 +14933,23 @@ function getOptionalInput(name) {
const value = core.getInput(name);
return value.length > 0 ? value : undefined;
}
function parseList(list) {
if (list === undefined) {
return list;
}
else {
return list.split(',').map(x => x.trim());
}
}
function readConfig() {
const fail_on_severity = z
.enum(schemas_1.SEVERITIES)
.default('low')
.parse(getOptionalInput('fail-on-severity'));
const fail_on_scopes = z
.array(z.enum(schemas_1.SCOPES))
.default(['runtime'])
.parse(parseList(getOptionalInput('fail-on-scopes')));
const allow_licenses = getOptionalInput('allow-licenses');
const deny_licenses = getOptionalInput('deny-licenses');
if (allow_licenses !== undefined && deny_licenses !== undefined) {
@@ -14740,8 +14959,9 @@ function readConfig() {
const head_ref = getOptionalInput('head-ref');
return {
fail_on_severity,
allow_licenses: allow_licenses === null || allow_licenses === void 0 ? void 0 : allow_licenses.split(',').map(x => x.trim()),
deny_licenses: deny_licenses === null || deny_licenses === void 0 ? void 0 : deny_licenses.split(',').map(x => x.trim()),
fail_on_scopes,
allow_licenses: parseList(allow_licenses),
deny_licenses: parseList(deny_licenses),
base_ref,
head_ref
};
@@ -14757,7 +14977,7 @@ exports.readConfig = readConfig;
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.filterChangesBySeverity = void 0;
exports.filterChangesByScopes = exports.filterChangesBySeverity = void 0;
const schemas_1 = __nccwpck_require__(1129);
function filterChangesBySeverity(severity, changes) {
const severityIdx = schemas_1.SEVERITIES.indexOf(severity);
@@ -14781,6 +15001,15 @@ function filterChangesBySeverity(severity, changes) {
return filteredChanges;
}
exports.filterChangesBySeverity = filterChangesBySeverity;
function filterChangesByScopes(scopes, changes) {
const filteredChanges = changes.filter(change => {
// if there is no scope on the change (Enterprise Server API for now), we will assume it is a runtime scope
const scope = change.scope || 'runtime';
return scopes.includes(scope);
});
return filteredChanges;
}
exports.filterChangesByScopes = filterChangesByScopes;
/***/ }),
@@ -14814,9 +15043,10 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SEVERITIES = void 0;
exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SCOPES = exports.SEVERITIES = void 0;
const z = __importStar(__nccwpck_require__(3301));
exports.SEVERITIES = ['critical', 'high', 'moderate', 'low'];
exports.SCOPES = ['unknown', 'runtime', 'development'];
exports.ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
manifest: z.string(),
@@ -14826,9 +15056,10 @@ exports.ChangeSchema = z.object({
package_url: z.string(),
license: z.string().nullable(),
source_repository_url: z.string().nullable(),
scope: z.enum(exports.SCOPES).optional(),
vulnerabilities: z
.array(z.object({
severity: z.enum(['critical', 'high', 'moderate', 'low']),
severity: z.enum(exports.SEVERITIES),
advisory_ghsa_id: z.string(),
advisory_summary: z.string(),
advisory_url: z.string()
@@ -14844,6 +15075,7 @@ exports.PullRequestSchema = z.object({
exports.ConfigurationOptionsSchema = z
.object({
fail_on_severity: z.enum(exports.SEVERITIES).default('low'),
fail_on_scopes: z.array(z.enum(exports.SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).default([]),
deny_licenses: z.array(z.string()).default([]),
base_ref: z.string(),
@@ -15013,7 +15245,7 @@ function assembleStyles() {
overline: [53, 55],
inverse: [7, 27],
hidden: [8, 28],
strikethrough: [9, 29]
strikethrough: [9, 29],
},
color: {
black: [30, 39],
@@ -15033,7 +15265,7 @@ function assembleStyles() {
blueBright: [94, 39],
magentaBright: [95, 39],
cyanBright: [96, 39],
whiteBright: [97, 39]
whiteBright: [97, 39],
},
bgColor: {
bgBlack: [40, 49],
@@ -15053,8 +15285,8 @@ function assembleStyles() {
bgBlueBright: [104, 49],
bgMagentaBright: [105, 49],
bgCyanBright: [106, 49],
bgWhiteBright: [107, 49]
}
bgWhiteBright: [107, 49],
},
};
// Alias bright black as gray (and grey)
@@ -15067,7 +15299,7 @@ function assembleStyles() {
for (const [styleName, style] of Object.entries(group)) {
styles[styleName] = {
open: `\u001B[${style[0]}m`,
close: `\u001B[${style[1]}m`
close: `\u001B[${style[1]}m`,
};
group[styleName] = styles[styleName];
@@ -15077,13 +15309,13 @@ function assembleStyles() {
Object.defineProperty(styles, groupName, {
value: group,
enumerable: false
enumerable: false,
});
}
Object.defineProperty(styles, 'codes', {
value: codes,
enumerable: false
enumerable: false,
});
styles.color.close = '\u001B[39m';
@@ -15114,39 +15346,41 @@ function assembleStyles() {
return Math.round(((red - 8) / 247) * 24) + 232;
}
return 16 +
(36 * Math.round(red / 255 * 5)) +
(6 * Math.round(green / 255 * 5)) +
Math.round(blue / 255 * 5);
return 16
+ (36 * Math.round(red / 255 * 5))
+ (6 * Math.round(green / 255 * 5))
+ Math.round(blue / 255 * 5);
},
enumerable: false
enumerable: false,
},
hexToRgb: {
value: hex => {
const matches = /(?<colorString>[a-f\d]{6}|[a-f\d]{3})/i.exec(hex.toString(16));
const matches = /[a-f\d]{6}|[a-f\d]{3}/i.exec(hex.toString(16));
if (!matches) {
return [0, 0, 0];
}
let {colorString} = matches.groups;
let [colorString] = matches;
if (colorString.length === 3) {
colorString = colorString.split('').map(character => character + character).join('');
colorString = [...colorString].map(character => character + character).join('');
}
const integer = Number.parseInt(colorString, 16);
return [
/* eslint-disable no-bitwise */
(integer >> 16) & 0xFF,
(integer >> 8) & 0xFF,
integer & 0xFF
integer & 0xFF,
/* eslint-enable no-bitwise */
];
},
enumerable: false
enumerable: false,
},
hexToAnsi256: {
value: hex => styles.rgbToAnsi256(...styles.hexToRgb(hex)),
enumerable: false
enumerable: false,
},
ansi256ToAnsi: {
value: code => {
@@ -15182,6 +15416,7 @@ function assembleStyles() {
return 30;
}
// eslint-disable-next-line no-bitwise
let result = 30 + ((Math.round(blue) << 2) | (Math.round(green) << 1) | Math.round(red));
if (value === 2) {
@@ -15190,16 +15425,16 @@ function assembleStyles() {
return result;
},
enumerable: false
enumerable: false,
},
rgbToAnsi: {
value: (red, green, blue) => styles.ansi256ToAnsi(styles.rgbToAnsi256(red, green, blue)),
enumerable: false
enumerable: false,
},
hexToAnsi: {
value: hex => styles.ansi256ToAnsi(styles.hexToAnsi256(hex)),
enumerable: false
}
enumerable: false,
},
});
return styles;
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+278 -430
View File
File diff suppressed because it is too large Load Diff
+12 -12
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "2.0.4",
"version": "2.2.0",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -29,26 +29,26 @@
"@actions/github": "^5.0.3",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/request-error": "^3.0.1",
"ansi-styles": "^6.1.0",
"got": "^12.3.1",
"nodemon": "^2.0.19",
"ansi-styles": "^6.1.1",
"got": "^12.5.0",
"nodemon": "^2.0.20",
"yaml": "^2.1.1",
"zod": "^3.18.0"
"zod": "^3.19.1"
},
"devDependencies": {
"@types/node": "^16.11.49",
"@typescript-eslint/eslint-plugin": "^5.33.1",
"@typescript-eslint/parser": "^5.33.1",
"@types/node": "^16.11.59",
"@typescript-eslint/eslint-plugin": "^5.38.0",
"@typescript-eslint/parser": "^5.38.0",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.22.0",
"eslint": "^8.23.1",
"eslint-plugin-github": "^4.3.7",
"eslint-plugin-jest": "^26.8.3",
"eslint-plugin-jest": "^27.0.4",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.19",
"nodemon": "^2.0.20",
"prettier": "2.7.1",
"ts-jest": "^27.1.4",
"typescript": "^4.7.4"
"typescript": "^4.8.3"
}
}
+15 -7
View File
@@ -32,17 +32,25 @@ event_file = Tempfile.new
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
event_file.close
dev_cmd_env = {
"INPUT_REPO-TOKEN" => github_token,
"GITHUB_REPOSITORY" => repo_nwo,
"GITHUB_EVENT_NAME" => "pull_request",
"GITHUB_EVENT_PATH" => event_file.path
action_inputs = {
"repo-token" => github_token
}
dev_cmd = "./node_modules/.bin/nodemon --exec \"node -r esbuild-register\" src/main.ts"
dev_cmd_env = {
"GITHUB_REPOSITORY" => repo_nwo,
"GITHUB_EVENT_NAME" => "pull_request",
"GITHUB_EVENT_PATH" => event_file.path,
"GITHUB_STEP_SUMMARY" => "/dev/null"
}
# bash does not like variable names with dashes like the ones Actions
# uses (e.g. INPUT_REPO-TOKEN). Passing them through `env` instead of
# manually setting them does the job.
action_inputs_env_str = action_inputs.map { |name, value| "\"INPUT_#{name.upcase}=#{value}\"" }.join(" ")
dev_cmd = "./node_modules/.bin/nodemon --exec \"env #{action_inputs_env_str} node -r esbuild-register\" src/main.ts"
Open3.popen2e(dev_cmd_env, dev_cmd) do |stdin, out|
while line = out.gets
puts line
puts line.gsub(github_token, "<REDACTED>")
end
end
+16 -3
View File
@@ -1,17 +1,29 @@
import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, SEVERITIES} from './schemas'
import {ConfigurationOptions, SEVERITIES, SCOPES} from './schemas'
function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name)
return value.length > 0 ? value : undefined
}
function parseList(list: string | undefined): string[] | undefined {
if (list === undefined) {
return list
} else {
return list.split(',').map(x => x.trim())
}
}
export function readConfig(): ConfigurationOptions {
const fail_on_severity = z
.enum(SEVERITIES)
.default('low')
.parse(getOptionalInput('fail-on-severity'))
const fail_on_scopes = z
.array(z.enum(SCOPES))
.default(['runtime'])
.parse(parseList(getOptionalInput('fail-on-scopes')))
const allow_licenses = getOptionalInput('allow-licenses')
const deny_licenses = getOptionalInput('deny-licenses')
@@ -24,8 +36,9 @@ export function readConfig(): ConfigurationOptions {
return {
fail_on_severity,
allow_licenses: allow_licenses?.split(',').map(x => x.trim()),
deny_licenses: deny_licenses?.split(',').map(x => x.trim()),
fail_on_scopes,
allow_licenses: parseList(allow_licenses),
deny_licenses: parseList(deny_licenses),
base_ref,
head_ref
}
+14 -1
View File
@@ -1,4 +1,4 @@
import {Changes, Severity, SEVERITIES} from './schemas'
import {Changes, Severity, SEVERITIES, Scope} from './schemas'
export function filterChangesBySeverity(
severity: Severity,
@@ -33,3 +33,16 @@ export function filterChangesBySeverity(
)
return filteredChanges
}
export function filterChangesByScopes(
scopes: Scope[],
changes: Changes
): Changes {
const filteredChanges = changes.filter(change => {
// if there is no scope on the change (Enterprise Server API for now), we will assume it is a runtime scope
const scope = change.scope || 'runtime'
return scopes.includes(scope)
})
return filteredChanges
}
+28 -14
View File
@@ -3,10 +3,11 @@ import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, Severity} from './schemas'
import {Change, Severity, Scope} from './schemas'
import {readConfig} from '../src/config'
import {filterChangesBySeverity} from '../src/filter'
import {filterChangesBySeverity, filterChangesByScopes} from '../src/filter'
import {getDeniedLicenseChanges} from './licenses'
import * as summary from './summary'
import {getRefs} from './git-refs'
async function run(): Promise<void> {
@@ -29,27 +30,36 @@ async function run(): Promise<void> {
deny: config.deny_licenses
}
const filteredChanges = filterChangesBySeverity(
minSeverity as Severity,
changes
)
const scopes = config.fail_on_scopes
for (const change of filteredChanges) {
if (
const scopedChanges = filterChangesByScopes(scopes as Scope[], changes)
const addedChanges = filterChangesBySeverity(
minSeverity as Severity,
scopedChanges
).filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
) {
printChangeVulnerabilities(change)
failed = true
}
}
)
const [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
changes,
scopedChanges,
licenses
)
summary.addSummaryToSummary(addedChanges, licenseErrors, unknownLicenses)
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
failed = true
}
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity || '')
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors)
core.setFailed('Dependency review detected incompatible licenses.')
@@ -57,6 +67,8 @@ async function run(): Promise<void> {
printNullLicenses(unknownLicenses)
summary.addLicensesToSummary(licenseErrors, unknownLicenses, config)
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
} else {
@@ -80,6 +92,8 @@ async function run(): Promise<void> {
core.setFailed('Unexpected fatal error')
}
}
} finally {
await core.summary.write()
}
}
+5 -1
View File
@@ -1,6 +1,7 @@
import * as z from 'zod'
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
export const SCOPES = ['unknown', 'runtime', 'development'] as const
export const ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
@@ -11,10 +12,11 @@ export const ChangeSchema = z.object({
package_url: z.string(),
license: z.string().nullable(),
source_repository_url: z.string().nullable(),
scope: z.enum(SCOPES).optional(),
vulnerabilities: z
.array(
z.object({
severity: z.enum(['critical', 'high', 'moderate', 'low']),
severity: z.enum(SEVERITIES),
advisory_ghsa_id: z.string(),
advisory_summary: z.string(),
advisory_url: z.string()
@@ -33,6 +35,7 @@ export const PullRequestSchema = z.object({
export const ConfigurationOptionsSchema = z
.object({
fail_on_severity: z.enum(SEVERITIES).default('low'),
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).default([]),
deny_licenses: z.array(z.string()).default([]),
base_ref: z.string(),
@@ -50,3 +53,4 @@ export type Change = z.infer<typeof ChangeSchema>
export type Changes = z.infer<typeof ChangesSchema>
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
export type Severity = typeof SEVERITIES[number]
export type Scope = typeof SCOPES[number]
+163
View File
@@ -0,0 +1,163 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Change, Changes} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
export function addSummaryToSummary(
addedPackages: Changes,
licenseErrors: Change[],
unknownLicenses: Change[]
): void {
core.summary
.addHeading('Dependency Review')
.addRaw(
`We found ${addedPackages.length} vulnerable package(s), ${licenseErrors.length} package(s) with incompatible licenses, and ${unknownLicenses.length} package(s) with unknown licenses.`
)
}
export function addChangeVulnerabilitiesToSummary(
addedPackages: Changes,
severity: string
): void {
const rows: SummaryTableRow[] = []
const manifests = getManifests(addedPackages)
core.summary
.addHeading('Vulnerabilities')
.addQuote(
`Vulnerabilites were filtered by mininum severity <strong>${severity}</strong>.`
)
if (addedPackages.length === 0) {
core.summary.addQuote('No vulnerabilities found in added packages.')
return
}
for (const manifest of manifests) {
for (const change of addedPackages.filter(
pkg => pkg.manifest === manifest
)) {
let previous_package = ''
let previous_version = ''
for (const vuln of change.vulnerabilities) {
const sameAsPrevious =
previous_package === change.name &&
previous_version === change.version
if (!sameAsPrevious) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version,
renderUrl(vuln.advisory_url, vuln.advisory_summary),
vuln.severity
])
} else {
rows.push([
{data: '', colspan: '2'},
renderUrl(vuln.advisory_url, vuln.advisory_summary),
vuln.severity
])
}
previous_package = change.name
previous_version = change.version
}
}
core.summary.addHeading(`<em>${manifest}</em>`, 3).addTable([
[
{data: 'Name', header: true},
{data: 'Version', header: true},
{data: 'Vulnerability', header: true},
{data: 'Severity', header: true}
],
...rows
])
}
}
export function addLicensesToSummary(
licenseErrors: Change[],
unknownLicenses: Change[],
config: ConfigurationOptions
): void {
core.summary.addHeading('Licenses')
if (config.allow_licenses && config.allow_licenses.length > 0) {
core.summary.addQuote(
`<strong>Allowed Licenses</strong>: ${config.allow_licenses.join(', ')}`
)
}
if (config.deny_licenses && config.deny_licenses.length > 0) {
core.summary.addQuote(
`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`
)
}
if (licenseErrors.length === 0 && unknownLicenses.length === 0) {
core.summary.addQuote('No license violations detected.')
return
}
if (licenseErrors.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifests(licenseErrors)
core.summary.addHeading('Incompatible Licenses', 3).addSeparator()
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4)
for (const change of licenseErrors.filter(
pkg => pkg.manifest === manifest
)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version,
change.license || ''
])
}
core.summary.addTable([['Package', 'Version', 'License'], ...rows])
}
} else {
core.summary.addQuote('No license violations detected.')
}
core.debug(`found ${unknownLicenses.length} unknown licenses`)
if (unknownLicenses.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifests(unknownLicenses)
core.debug(
`found ${manifests.entries.length} manifests for unknown licenses`
)
core.summary.addHeading('Unknown Licenses', 3).addSeparator()
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4)
for (const change of unknownLicenses.filter(
pkg => pkg.manifest === manifest
)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version
])
}
core.summary.addTable([['Package', 'Version'], ...rows])
}
}
}
function getManifests(changes: Changes): Set<string> {
return new Set(changes.flatMap(c => c.manifest))
}
function renderUrl(url: string | null, text: string): string {
if (url) {
return `<a href="${url}">${text}</a>`
} else {
return text
}
}