Compare commits

..

261 Commits

Author SHA1 Message Date
Federico Builes 0efb1d1d84 bumping to 2.5.1 2022-10-24 17:03:38 +02:00
Federico Builes d4f6425aa4 Merge pull request #290 from actions/cn/scan_pr
Enable setting configuration options for local testing
2022-10-24 16:55:54 +02:00
Federico Builes 49a61bd9bd Update scripts/scan_pr
Co-authored-by: cnagadya <cnagadya@github.com>
2022-10-24 16:54:03 +02:00
Federico Builes 06c01e11e8 Update scripts/scan_pr
Co-authored-by: cnagadya <cnagadya@github.com>
2022-10-24 16:53:56 +02:00
Federico Builes 4538b29c27 Merge pull request #300 from actions/dependabot/npm_and_yarn/eslint-8.26.0
Bump eslint from 8.25.0 to 8.26.0
2022-10-24 07:14:08 +02:00
Federico Builes 4153ec555a Merge pull request #299 from actions/dependabot/npm_and_yarn/types/node-16.18.0
Bump @types/node from 16.11.68 to 16.18.0
2022-10-24 07:13:59 +02:00
dependabot[bot] 7c8d0843f9 Bump eslint from 8.25.0 to 8.26.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.25.0 to 8.26.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.25.0...v8.26.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-24 01:47:43 +00:00
dependabot[bot] fc00198e43 Bump @types/node from 16.11.68 to 16.18.0
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.68 to 16.18.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-24 01:47:19 +00:00
Federico Builes 80e573b784 Fixing whitespace. 2022-10-21 14:03:17 +02:00
Federico Builes b5c3d1e723 Update scan_pr to support loading an external config YAML file. 2022-10-21 14:00:52 +02:00
Federico Builes 7fd272118a Updating scan_pr to support a config file option. 2022-10-21 13:55:52 +02:00
Federico Builes 3c9a31f5a0 Updating CONTRIBUTING.md 2022-10-21 13:36:00 +02:00
Federico Builes d8fba3fdc1 Remove hardcode file from .gitignore 2022-10-21 13:33:24 +02:00
Federico Builes e805dd89e8 Merge branch 'main' into cn/scan_pr 2022-10-21 13:27:09 +02:00
Federico Builes 32276cb73d Merge pull request #298 from actions/dependabot/npm_and_yarn/types/node-16.11.68
Bump @types/node from 16.11.66 to 16.11.68
2022-10-19 07:49:08 +02:00
Federico Builes fe226ac019 Merge pull request #297 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.3
Bump eslint-plugin-jest from 27.1.2 to 27.1.3
2022-10-19 07:48:52 +02:00
dependabot[bot] b759175bdb Bump @types/node from 16.11.66 to 16.11.68
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.66 to 16.11.68.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-19 01:34:58 +00:00
dependabot[bot] 6af054f363 Bump eslint-plugin-jest from 27.1.2 to 27.1.3
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.1.2 to 27.1.3.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.1.2...v27.1.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-19 01:34:46 +00:00
Federico Builes 6f32cb0afd Merge pull request #296 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.40.1
Bump @typescript-eslint/parser from 5.40.0 to 5.40.1
2022-10-18 10:05:25 +02:00
dependabot[bot] 2791afab72 Bump @typescript-eslint/parser from 5.40.0 to 5.40.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.40.0 to 5.40.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.40.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-18 06:54:19 +00:00
Federico Builes a8b5c8c24e Merge pull request #295 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.40.1
Bump @typescript-eslint/eslint-plugin from 5.40.0 to 5.40.1
2022-10-18 08:53:31 +02:00
dependabot[bot] 12a250de95 Bump @typescript-eslint/eslint-plugin from 5.40.0 to 5.40.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.40.0 to 5.40.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.40.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-18 01:26:32 +00:00
Federico Builes 917e5af203 Merge pull request #291 from actions/dependabot/npm_and_yarn/types/node-16.11.66
Bump @types/node from 16.11.65 to 16.11.66
2022-10-17 07:28:53 +02:00
Federico Builes ba6dba6225 Merge pull request #292 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.2
Bump eslint-plugin-jest from 27.1.1 to 27.1.2
2022-10-17 07:26:25 +02:00
dependabot[bot] 63154658bc Bump eslint-plugin-jest from 27.1.1 to 27.1.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.1.1 to 27.1.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.1.1...v27.1.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-17 01:51:39 +00:00
dependabot[bot] f84c5813e5 Bump @types/node from 16.11.65 to 16.11.66
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.65 to 16.11.66.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-17 01:51:15 +00:00
cnagadya 228a6404a2 Remove untracked dev-config.yml 2022-10-14 13:07:46 +00:00
cnagadya c84947f64b Ignore dev-config file 2022-10-14 12:31:49 +00:00
cnagadya 71dbf10e60 Add configuration instruction to docs 2022-10-14 12:31:17 +00:00
cnagadya f9deefc2e9 Retrieve config file values for local testing 2022-10-14 09:26:12 +00:00
Federico Builes 0e5d083be1 Merge pull request #289 from actions/dependabot/npm_and_yarn/octokit-2.0.9
Bump octokit from 2.0.7 to 2.0.9
2022-10-14 09:09:30 +02:00
Federico Builes 2f428eec67 adding dist 2022-10-14 09:03:58 +02:00
dependabot[bot] dff2fdff0f Bump octokit from 2.0.7 to 2.0.9
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.7 to 2.0.9.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.7...v2.0.9)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 06:56:20 +00:00
Federico Builes 12a171cf96 Merge pull request #288 from actions/dependabot/npm_and_yarn/octokit/request-error-3.0.2
Bump @octokit/request-error from 3.0.1 to 3.0.2
2022-10-14 08:55:30 +02:00
dependabot[bot] 3156cf8998 Bump @octokit/request-error from 3.0.1 to 3.0.2
Bumps [@octokit/request-error](https://github.com/octokit/request-error.js) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](https://github.com/octokit/request-error.js/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: "@octokit/request-error"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 01:25:21 +00:00
cnagadya fd675ced9c v2.5.0 release
Co-authored-by: Henri Maurer <hmaurer@github.com>
Co-authored-by: Federico Builes <febuiles@github.com>
2022-10-13 15:00:15 +00:00
Federico Builes f7d03d8b76 Merge pull request #284 from actions/cn/license-api-fallback
Use GH Licenses API to retrieve null licenses
2022-10-13 16:54:33 +02:00
Federico Builes 7e41a6f1ee Removing unnecessary beforeAll block
Mocks are removed in Jest automatically due to our
Jest config file.

Co-authored-by: Christine Nagadya <cnagadya@github.com>
Co-authored-by: Henri Maurer <hmaurer@github.com>
2022-10-13 16:52:54 +02:00
cnagadya 4c0961eff6 Add tests for GitHub License API fallback 2022-10-13 11:57:38 +00:00
cnagadya d1e9a12830 Resolve conflicts 2022-10-13 11:06:40 +00:00
cnagadya 2e3713aab8 Optimise setGHLicenses
Co-authored-by: Henri Maurer <hmaurer@github.com>
Co-authored-by: Federico Builes <febuiles@github.com>
2022-10-13 11:03:34 +00:00
cnagadya ba9d7c1389 Retrieve null licenses from licenses API 2022-10-13 11:03:34 +00:00
Federico Builes 0cd2781117 Merge pull request #286 from actions/dependabot/npm_and_yarn/ansi-styles-6.2.1
Bump ansi-styles from 6.2.0 to 6.2.1
2022-10-13 12:28:39 +02:00
Federico Builes 129f0ad973 adding dist 2022-10-13 12:26:58 +02:00
dependabot[bot] 0a88a4704b Bump ansi-styles from 6.2.0 to 6.2.1
Bumps [ansi-styles](https://github.com/chalk/ansi-styles) from 6.2.0 to 6.2.1.
- [Release notes](https://github.com/chalk/ansi-styles/releases)
- [Commits](https://github.com/chalk/ansi-styles/compare/v6.2.0...v6.2.1)

---
updated-dependencies:
- dependency-name: ansi-styles
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-13 06:12:45 +00:00
Federico Builes 18069caed8 Merge pull request #287 from actions/dependabot/npm_and_yarn/got-12.5.2
Bump got from 12.5.1 to 12.5.2
2022-10-13 08:12:07 +02:00
dependabot[bot] 61cee4b12b Bump got from 12.5.1 to 12.5.2
Bumps [got](https://github.com/sindresorhus/got) from 12.5.1 to 12.5.2.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.5.1...v12.5.2)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-13 01:25:32 +00:00
Federico Builes 94670a1af8 Merge pull request #282 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.4.0
Bump eslint-plugin-github from 4.3.7 to 4.4.0
2022-10-12 08:05:50 +02:00
Federico Builes 577d9714ad Merge pull request #283 from actions/dependabot/npm_and_yarn/ansi-styles-6.2.0
Bump ansi-styles from 6.1.1 to 6.2.0
2022-10-12 08:02:05 +02:00
Federico Builes 9ce6cb532b adding dist 2022-10-12 08:01:53 +02:00
dependabot[bot] 0b980b1ccd Bump ansi-styles from 6.1.1 to 6.2.0
Bumps [ansi-styles](https://github.com/chalk/ansi-styles) from 6.1.1 to 6.2.0.
- [Release notes](https://github.com/chalk/ansi-styles/releases)
- [Commits](https://github.com/chalk/ansi-styles/compare/v6.1.1...v6.2.0)

---
updated-dependencies:
- dependency-name: ansi-styles
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-12 01:41:51 +00:00
dependabot[bot] bc5f6c2f39 Bump eslint-plugin-github from 4.3.7 to 4.4.0
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.3.7 to 4.4.0.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.3.7...v4.4.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-12 01:41:43 +00:00
cnagadya 9c96258789 Update to 2.4.1 2022-10-11 13:42:40 +00:00
Federico Builes f076f221f4 Merge pull request #280 from actions/format-bugs
Fix display issues with versions and GHSAs
2022-10-11 15:22:44 +02:00
Federico Builes 88b817ec8d adding dist 2022-10-11 15:20:02 +02:00
Federico Builes 2dd6c6a3d7 Fixing a bug with GHSA filtering.
Co-authored-by: Christine Nagadya <cnagadya@github.com>
2022-10-11 15:17:34 +02:00
Federico Builes 1d9bfbbddf Document the behavior of the GHSA filtering function. 2022-10-11 15:09:58 +02:00
Federico Builes f632f5f79d adding dist 2022-10-11 14:51:27 +02:00
Federico Builes ee42a6512f Show the dependency name instead of the manifest. 2022-10-11 14:50:55 +02:00
Federico Builes 6f58092362 Merge pull request #278 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.40.0
Bump @typescript-eslint/eslint-plugin from 5.39.0 to 5.40.0
2022-10-11 12:11:26 +02:00
dependabot[bot] b81bfe53ce Bump @typescript-eslint/eslint-plugin from 5.39.0 to 5.40.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.39.0 to 5.40.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.40.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-11 10:10:06 +00:00
Federico Builes 5679c0f8be Merge pull request #277 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.40.0
Bump @typescript-eslint/parser from 5.39.0 to 5.40.0
2022-10-11 12:09:15 +02:00
dependabot[bot] 2018b3e66f Bump @typescript-eslint/parser from 5.39.0 to 5.40.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.39.0 to 5.40.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.40.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-11 08:50:56 +00:00
Federico Builes 463890c1ed Merge pull request #276 from actions/dependabot/npm_and_yarn/types/node-16.11.65
Bump @types/node from 16.11.64 to 16.11.65
2022-10-11 10:50:05 +02:00
dependabot[bot] c9b9d23e75 Bump @types/node from 16.11.64 to 16.11.65
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.64 to 16.11.65.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-11 01:32:53 +00:00
Federico Builes 4c14cfe593 Merge pull request #275 from actions/dependabot/npm_and_yarn/eslint-8.25.0
Bump eslint from 8.24.0 to 8.25.0
2022-10-10 08:24:07 +02:00
dependabot[bot] 5b70fe08e7 Bump eslint from 8.24.0 to 8.25.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.24.0 to 8.25.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.24.0...v8.25.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-10 01:52:29 +00:00
Federico Builes 81216f689b Merge pull request #274 from actions/dependabot/npm_and_yarn/yaml-2.1.3
Bump yaml from 2.1.2 to 2.1.3
2022-10-06 14:43:54 +02:00
Federico Builes afbc15c97f updating dist files 2022-10-06 14:41:07 +02:00
dependabot[bot] 8d974c4ee8 Bump yaml from 2.1.2 to 2.1.3
Bumps [yaml](https://github.com/eemeli/yaml) from 2.1.2 to 2.1.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.1.2...v2.1.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-06 11:19:30 +00:00
Federico Builes cdad98596a Merge pull request #273 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.1
Bump eslint-plugin-jest from 27.1.0 to 27.1.1
2022-10-06 13:18:40 +02:00
dependabot[bot] 0a0eb39992 Bump eslint-plugin-jest from 27.1.0 to 27.1.1
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.1.0 to 27.1.1.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.1.0...v27.1.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-06 01:41:12 +00:00
Federico Builes df3ceaf7f0 Merge pull request #269 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.39.0
Bump @typescript-eslint/eslint-plugin from 5.38.1 to 5.39.0
2022-10-05 13:17:37 +02:00
dependabot[bot] 1997789b86 Bump @typescript-eslint/eslint-plugin from 5.38.1 to 5.39.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.38.1 to 5.39.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.39.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-05 11:01:03 +00:00
Federico Builes 584e620d09 Merge pull request #270 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.39.0
Bump @typescript-eslint/parser from 5.38.1 to 5.39.0
2022-10-05 13:00:23 +02:00
Federico Builes 1fa34689ad Merge pull request #271 from actions/dependabot/npm_and_yarn/types/node-16.11.64
Bump @types/node from 16.11.63 to 16.11.64
2022-10-05 13:00:15 +02:00
Federico Builes de2814d20e Merge pull request #272 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.0
Bump eslint-plugin-jest from 27.0.4 to 27.1.0
2022-10-05 08:17:58 +02:00
dependabot[bot] eabc27054f Bump eslint-plugin-jest from 27.0.4 to 27.1.0
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.0.4 to 27.1.0.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.0.4...v27.1.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-05 01:54:54 +00:00
dependabot[bot] b486e073e9 Bump @types/node from 16.11.63 to 16.11.64
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.63 to 16.11.64.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-05 01:54:43 +00:00
dependabot[bot] 03321307df Bump @typescript-eslint/parser from 5.38.1 to 5.39.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.38.1 to 5.39.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.39.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-05 01:51:49 +00:00
Federico Builes cc2a6ab32f Merge pull request #268 from actions/dependabot/npm_and_yarn/yaml-2.1.2
Bump yaml from 2.1.1 to 2.1.2
2022-10-03 11:32:30 +02:00
Federico Builes 5de8be4c40 Merge branch 'main' into dependabot/npm_and_yarn/yaml-2.1.2
# Conflicts:
#	dist/index.js.map
2022-10-03 11:31:02 +02:00
Federico Builes 1b8bd021a3 adding dist 2022-10-03 11:29:46 +02:00
Federico Builes 65d8cd176f Merge pull request #267 from actions/dependabot/npm_and_yarn/types/node-16.11.63
Bump @types/node from 16.11.62 to 16.11.63
2022-10-03 11:29:23 +02:00
Federico Builes 6d500ff869 Merge pull request #266 from actions/dependabot/npm_and_yarn/actions/github-5.1.1
Bump @actions/github from 5.1.0 to 5.1.1
2022-10-03 11:29:14 +02:00
Federico Builes 0259ed8420 add dist 2022-10-03 11:28:16 +02:00
dependabot[bot] ec636f3d19 Bump yaml from 2.1.1 to 2.1.2
Bumps [yaml](https://github.com/eemeli/yaml) from 2.1.1 to 2.1.2.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.1.1...v2.1.2)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 02:06:25 +00:00
dependabot[bot] 367e85631b Bump @types/node from 16.11.62 to 16.11.63
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.62 to 16.11.63.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 02:05:36 +00:00
dependabot[bot] abf7b5a775 Bump @actions/github from 5.1.0 to 5.1.1
Bumps [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) from 5.1.0 to 5.1.1.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/github"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 02:05:00 +00:00
Federico Builes ba85772f4b Merge pull request #265 from actions/dependabot/npm_and_yarn/actions/core-1.10.0
Bump @actions/core from 1.9.1 to 1.10.0
2022-09-30 09:09:00 +02:00
Federico Builes 8d812df813 adding dist 2022-09-30 09:07:38 +02:00
dependabot[bot] 63e12b21ed Bump @actions/core from 1.9.1 to 1.10.0
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.9.1 to 1.10.0.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-30 01:45:02 +00:00
Federico Builes 0385b5b162 Merge pull request #248 from actions/add-scanned-deps
Add scanned deps
2022-09-28 10:53:37 +02:00
Federico Builes 8e053e0f5e Merge pull request #262 from actions/dependabot/npm_and_yarn/typescript-4.8.4
Bump typescript from 4.8.3 to 4.8.4
2022-09-28 08:04:35 +02:00
Federico Builes e0ff0cf732 Merge pull request #261 from actions/dependabot/npm_and_yarn/got-12.5.1
Bump got from 12.5.0 to 12.5.1
2022-09-28 08:04:26 +02:00
dependabot[bot] ea65cbfc18 Bump typescript from 4.8.3 to 4.8.4
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.8.3 to 4.8.4.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.8.3...v4.8.4)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-28 01:29:19 +00:00
dependabot[bot] 5bf43a89cd Bump got from 12.5.0 to 12.5.1
Bumps [got](https://github.com/sindresorhus/got) from 12.5.0 to 12.5.1.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.5.0...v12.5.1)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-28 01:29:03 +00:00
Federico Builes 468485fc8e Clean up the main script a bit. 2022-09-27 12:25:12 +02:00
Federico Builes 46c9f79a1f Create utils.ts file for helper functions. 2022-09-27 12:23:05 +02:00
Federico Builes cd3f55e8f9 Add all the dependencies to the review summary too. 2022-09-27 11:52:15 +02:00
Federico Builes f832351766 Merge pull request #258 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.38.1
Bump @typescript-eslint/eslint-plugin from 5.38.0 to 5.38.1
2022-09-27 08:10:02 +02:00
dependabot[bot] f96ed229f4 Bump @typescript-eslint/eslint-plugin from 5.38.0 to 5.38.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.38.0 to 5.38.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.38.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-27 06:08:27 +00:00
Federico Builes 629703a27b Merge pull request #260 from actions/dependabot/npm_and_yarn/types/node-16.11.62
Bump @types/node from 16.11.60 to 16.11.62
2022-09-27 08:08:06 +02:00
Federico Builes d05bfb69a5 Merge pull request #259 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.38.1
Bump @typescript-eslint/parser from 5.38.0 to 5.38.1
2022-09-27 08:07:40 +02:00
dependabot[bot] 02bcebdd6e Bump @types/node from 16.11.60 to 16.11.62
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.60 to 16.11.62.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-27 01:30:25 +00:00
dependabot[bot] fbeabf7e29 Bump @typescript-eslint/parser from 5.38.0 to 5.38.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.38.0 to 5.38.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.38.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-27 01:30:16 +00:00
Federico Builes 0515f5cb39 Adding a skeleton for scanned dependencies in the summary. 2022-09-26 19:14:04 +02:00
Federico Builes 2d1d679f58 Move manifest grouping outside main.ts 2022-09-26 19:13:25 +02:00
Federico Builes a3563a05bc Use a set instead of raw JS objects. 2022-09-26 12:41:16 +02:00
Federico Builes 8a20ddbf25 try adding 3 sections 2022-09-26 12:21:24 +02:00
Federico Builes 2a646668d9 adding dist 2022-09-26 12:03:34 +02:00
Federico Builes 60be833ffd Update manifest formatting in output. 2022-09-26 12:01:39 +02:00
Federico Builes edc501a219 adding dist 2022-09-26 11:41:40 +02:00
Federico Builes 000837f2ac Don't nest groups. 2022-09-26 11:41:02 +02:00
Federico Builes 89f99d150a adding colors to the dep output 2022-09-26 11:35:05 +02:00
Federico Builes 0ed41eff02 Merge branch 'main' into add-scanned-deps 2022-09-26 11:34:43 +02:00
Federico Builes dbe70eb550 updating gitignore 2022-09-26 11:29:22 +02:00
Federico Builes 78c7c01396 Merge branch 'main' into add-scanned-deps
# Conflicts:
#	dist/index.js.map
2022-09-26 08:47:23 +02:00
Federico Builes 89a5c76329 Merge pull request #254 from actions/dependabot/npm_and_yarn/actions/github-5.1.0
Bump @actions/github from 5.0.3 to 5.1.0
2022-09-26 08:46:18 +02:00
Federico Builes 4a6d691283 adding dist 2022-09-26 08:45:09 +02:00
Federico Builes b58d457243 Merge pull request #253 from actions/dependabot/npm_and_yarn/types/node-16.11.60
Bump @types/node from 16.11.59 to 16.11.60
2022-09-26 08:42:47 +02:00
Federico Builes cc033856be Merge pull request #255 from actions/dependabot/npm_and_yarn/eslint-8.24.0
Bump eslint from 8.23.1 to 8.24.0
2022-09-26 08:04:38 +02:00
dependabot[bot] 8595e805a5 Bump eslint from 8.23.1 to 8.24.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.23.1 to 8.24.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.23.1...v8.24.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 01:55:41 +00:00
dependabot[bot] fa10a7f0d6 Bump @actions/github from 5.0.3 to 5.1.0
Bumps [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) from 5.0.3 to 5.1.0.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/github"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 01:54:35 +00:00
dependabot[bot] 6755d8aa71 Bump @types/node from 16.11.59 to 16.11.60
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.59 to 16.11.60.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 01:54:19 +00:00
Sarah Aladetan 375c537008 Updating to 2.4.0 2022-09-23 13:07:20 -07:00
Sarah Aladetan 98f28ebe06 Merge pull request #251 from actions/sarahkemi/ghsa-allowlist
Filter by vulnerability allow-list
2022-09-23 13:06:41 -07:00
Sarah Aladetan 716b322ec9 add allow-ghsas input to action.yml 2022-09-23 19:59:39 +00:00
Sarah Aladetan 12ae1bd550 Update wording in README.md
Co-authored-by: Federico Builes <febuiles@github.com>
2022-09-23 12:32:46 -07:00
Sarah Aladetan bcb52636bd build and package allow-ghsas 2022-09-22 22:58:43 +00:00
Sarah Aladetan 241ff73141 add doc on allow-ghsas to readme 2022-09-22 22:44:17 +00:00
Sarah Aladetan 062b749663 revise ghsa filter 2022-09-22 22:36:34 +00:00
Sarah Aladetan 4f00b72b84 filter allowed ghsas in action flow 2022-09-22 22:25:21 +00:00
Sarah Aladetan 602f968ea2 create a filter for vulns that are on the allowlist 2022-09-22 21:36:26 +00:00
Sarah Aladetan bd61ea0d9e create config option for ghsa allowlist 2022-09-22 21:34:18 +00:00
Federico Builes 8ec13c1f01 adding dist 2022-09-22 16:52:03 +02:00
Federico Builes 723ec8c0d3 Try showing information about the scanned dependencies. 2022-09-22 16:49:45 +02:00
Federico Builes 2843194510 Updating version. 2022-09-22 14:27:24 +02:00
Federico Builes 6944531f76 Update README.md 2022-09-22 14:26:27 +02:00
Federico Builes 29cdbbed37 Merge pull request #228 from actions/external-config
Add external configuration file
2022-09-22 14:22:39 +02:00
Federico Builes 88502badc9 Update README.md
Co-authored-by: Sarah Aladetan <sarahkemi@github.com>
2022-09-22 08:03:23 +02:00
Federico Builes ff7c97a976 adding dist 2022-09-21 17:03:01 +02:00
Federico Builes 4d3b8e5269 Clarify code a bit. 2022-09-21 17:01:00 +02:00
Federico Builes 38ee6e8360 Improve scopes example in new docs. 2022-09-21 16:53:20 +02:00
Federico Builes 54cd9a7cba Merge branch 'main' into external-config
# Conflicts:
#	README.md
#	__tests__/config.test.ts
#	dist/index.js.map
#	src/config.ts
#	src/schemas.ts
2022-09-21 16:50:02 +02:00
Federico Builes c4693c00ac Raise errors for invalid values in the external config. 2022-09-21 16:30:05 +02:00
Sarah Aladetan e89f113be2 add callout to checkout main when updating major version tag 2022-09-20 13:21:38 -07:00
Sarah Aladetan 2b96ea7f03 Bump version to 2.2.0
We've added filtering by dependency scopes
2022-09-20 13:06:20 -07:00
Sarah Aladetan 4300ce8d38 Merge pull request #243 from actions/sarahkemi/filter-dev-deps
Filter blocking dependency changes by scopes
2022-09-20 16:05:19 -04:00
Sarah Aladetan de48c615a3 build and package scope filtering 2022-09-20 15:18:31 +00:00
Federico Builes eef7e39202 Accept options from both sources, prioritize external config. 2022-09-20 15:52:34 +02:00
Federico Builes 37dc32836b Merge branch 'main' into external-config 2022-09-20 15:29:28 +02:00
Federico Builes 890361387d Updating dist. 2022-09-20 15:16:25 +02:00
Federico Builes 61f19e6447 Let the users set the path for the config file. 2022-09-20 15:15:14 +02:00
Federico Builes fd959624bf Merge pull request #245 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.38.0
Bump @typescript-eslint/eslint-plugin from 5.37.0 to 5.38.0
2022-09-20 07:59:56 +02:00
Federico Builes 11dd186eb0 Merge pull request #246 from actions/dependabot/npm_and_yarn/got-12.5.0
Bump got from 12.4.1 to 12.5.0
2022-09-20 07:59:44 +02:00
dependabot[bot] 1ab05cf855 Bump @typescript-eslint/eslint-plugin from 5.37.0 to 5.38.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.37.0 to 5.38.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.38.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-20 05:54:32 +00:00
dependabot[bot] 7d7d5e7c84 Bump got from 12.4.1 to 12.5.0
Bumps [got](https://github.com/sindresorhus/got) from 12.4.1 to 12.5.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.4.1...v12.5.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-20 05:54:28 +00:00
Federico Builes 8a8fa8bd07 Merge pull request #244 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.38.0
Bump @typescript-eslint/parser from 5.37.0 to 5.38.0
2022-09-20 07:53:39 +02:00
dependabot[bot] 06daf8e801 Bump @typescript-eslint/parser from 5.37.0 to 5.38.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.37.0 to 5.38.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.38.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-20 01:31:24 +00:00
Federico Builes aeb9ff5438 adding dist 2022-09-19 17:34:53 +02:00
Federico Builes 1ef21ab130 Leave a failing test for tomorrow! 2022-09-19 17:34:12 +02:00
Federico Builes 3c95902dd6 Adding more tests for the config file. 2022-09-19 17:29:25 +02:00
Federico Builes 4b4ec08f7b Make sure we get rid of the ridiculous dashes in the names. 2022-09-19 17:28:59 +02:00
Federico Builes a91c3ac205 Split reading inline/external configuration options. 2022-09-19 17:28:44 +02:00
Federico Builes bf0cb7fac4 Add a default config file. 2022-09-19 17:28:20 +02:00
Federico Builes 07a7056819 Update README to include config-file option. 2022-09-19 16:46:42 +02:00
Federico Builes b93fcee7ff Raise an error if the config file is not found. 2022-09-19 16:36:45 +02:00
Federico Builes 8bac022bfd Merge branch 'main' into external-config 2022-09-19 16:14:41 +02:00
Federico Builes fc4fb55b25 Merge pull request #241 from actions/dependabot/npm_and_yarn/nodemon-2.0.20
Bump nodemon from 2.0.19 to 2.0.20
2022-09-19 07:38:12 +02:00
dependabot[bot] 31c132fdca Bump nodemon from 2.0.19 to 2.0.20
Bumps [nodemon](https://github.com/remy/nodemon) from 2.0.19 to 2.0.20.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v2.0.19...v2.0.20)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-19 01:55:04 +00:00
Sarah Aladetan 10bc05df70 ensure scope filtering is backward compatible with enterprise rest api versions 2022-09-16 19:13:58 +00:00
Sarah Aladetan e641ee9a41 update readme with notes on dependency scopes 2022-09-16 16:45:59 +00:00
Federico Builes 0ba71661e5 Adding failing tests. 2022-09-16 14:32:09 +02:00
Federico Builes 8ef181b2cb Read a hardcoded config file. 2022-09-16 14:30:57 +02:00
Federico Builes 7e2a489d03 Merge branch 'main' into external-config 2022-09-16 13:55:17 +02:00
Federico Builes eaeaeb3d57 Merge pull request #239 from actions/dependabot/npm_and_yarn/types/node-16.11.59
Bump @types/node from 16.11.58 to 16.11.59
2022-09-16 13:55:02 +02:00
Federico Builes 1eaf30e6eb Merge pull request #240 from actions/hm/fix-scan_pr
Fix passing repo-token input in scan_pr script
2022-09-16 13:50:52 +02:00
Federico Builes 5da3462152 Explain why we mangle dashed variables. 2022-09-16 13:47:16 +02:00
Sarah Aladetan 6fa5a8f9c0 add fail-on-scopes input to action config 2022-09-15 20:07:28 +00:00
Sarah Aladetan 0d23c39a5d filter by scope in action 2022-09-15 20:03:27 +00:00
Sarah Aladetan 6549b27685 add configuration for scopes to fail on 2022-09-15 18:48:58 +00:00
Sarah Aladetan f4b16c52e5 add method to filter changes by given scopes 2022-09-15 18:00:07 +00:00
Sarah Aladetan 1a7a37c468 add scope to change schema 2022-09-15 17:53:34 +00:00
Henri Maurer 38b459efad Fix passing repo-token input in scan_pr script 2022-09-15 10:09:46 +00:00
dependabot[bot] 6410b2cdd2 Bump @types/node from 16.11.58 to 16.11.59
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.58 to 16.11.59.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-14 02:00:08 +00:00
Federico Builes fd3a3b1051 Merge pull request #236 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.37.0
Bump @typescript-eslint/parser from 5.36.2 to 5.37.0
2022-09-13 07:16:16 +02:00
dependabot[bot] 6771e49f11 Bump @typescript-eslint/parser from 5.36.2 to 5.37.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.36.2 to 5.37.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.37.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-13 05:14:03 +00:00
Federico Builes c7c07e1117 Merge pull request #237 from actions/dependabot/npm_and_yarn/eslint-8.23.1
Bump eslint from 8.23.0 to 8.23.1
2022-09-13 07:13:17 +02:00
Federico Builes 59fdb0cce7 Merge pull request #238 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.37.0
Bump @typescript-eslint/eslint-plugin from 5.36.2 to 5.37.0
2022-09-13 07:13:03 +02:00
dependabot[bot] 950228f7f7 Bump @typescript-eslint/eslint-plugin from 5.36.2 to 5.37.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.36.2 to 5.37.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.37.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-13 03:40:44 +00:00
dependabot[bot] 6973819203 Bump eslint from 8.23.0 to 8.23.1
Bumps [eslint](https://github.com/eslint/eslint) from 8.23.0 to 8.23.1.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.23.0...v8.23.1)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-13 03:40:27 +00:00
Federico Builes eee2e3260e Merge pull request #235 from actions/dependabot/npm_and_yarn/ansi-styles-6.1.1
Bump ansi-styles from 6.1.0 to 6.1.1
2022-09-12 06:57:39 +02:00
Federico Builes 7eeddef885 adding dist 2022-09-12 06:56:41 +02:00
Federico Builes 8c58cdad09 Merge branch 'main' into dependabot/npm_and_yarn/ansi-styles-6.1.1 2022-09-12 06:56:12 +02:00
Federico Builes 380290a89b Merge pull request #234 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.0.4
Bump eslint-plugin-jest from 27.0.2 to 27.0.4
2022-09-12 06:54:43 +02:00
Federico Builes 50c3ed0ba6 Merge pull request #233 from actions/dependabot/npm_and_yarn/zod-3.19.1
Bump zod from 3.19.0 to 3.19.1
2022-09-12 06:54:18 +02:00
Federico Builes 0455501026 adding dist 2022-09-12 06:54:07 +02:00
dependabot[bot] bac3f038ac Bump ansi-styles from 6.1.0 to 6.1.1
Bumps [ansi-styles](https://github.com/chalk/ansi-styles) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/chalk/ansi-styles/releases)
- [Commits](https://github.com/chalk/ansi-styles/compare/v6.1.0...v6.1.1)

---
updated-dependencies:
- dependency-name: ansi-styles
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-12 01:55:42 +00:00
dependabot[bot] 2d81062605 Bump eslint-plugin-jest from 27.0.2 to 27.0.4
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.0.2 to 27.0.4.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.0.2...v27.0.4)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-12 01:55:29 +00:00
dependabot[bot] 2ae4b932b7 Bump zod from 3.19.0 to 3.19.1
Bumps [zod](https://github.com/colinhacks/zod) from 3.19.0 to 3.19.1.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.19.0...v3.19.1)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-12 01:54:09 +00:00
Federico Builes c7d4075ae0 Merge pull request #232 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.0.2
Bump eslint-plugin-jest from 27.0.1 to 27.0.2
2022-09-09 08:45:35 +02:00
Federico Builes 49a0208abf Merge pull request #231 from actions/dependabot/npm_and_yarn/typescript-4.8.3
Bump typescript from 4.8.2 to 4.8.3
2022-09-09 08:45:23 +02:00
dependabot[bot] 94941958fb Bump eslint-plugin-jest from 27.0.1 to 27.0.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.0.1 to 27.0.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.0.1...v27.0.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-09 01:30:41 +00:00
dependabot[bot] 2764e60363 Bump typescript from 4.8.2 to 4.8.3
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.8.2 to 4.8.3.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.8.2...v4.8.3)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-09 01:29:54 +00:00
Federico Builes bcd1b9ab86 Merge pull request #230 from actions/dependabot/npm_and_yarn/types/node-16.11.58
Bump @types/node from 16.11.57 to 16.11.58
2022-09-08 12:02:31 +02:00
dependabot[bot] d96759fedc Bump @types/node from 16.11.57 to 16.11.58
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.57 to 16.11.58.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-08 01:32:47 +00:00
Federico Builes bfd72e7da2 Merge pull request #229 from actions/dependabot/npm_and_yarn/zod-3.19.0
Bump zod from 3.18.0 to 3.19.0
2022-09-07 07:50:34 +02:00
Federico Builes d8efcf0c1f updating dist files 2022-09-07 07:47:22 +02:00
dependabot[bot] 3b74514266 Bump zod from 3.18.0 to 3.19.0
Bumps [zod](https://github.com/colinhacks/zod) from 3.18.0 to 3.19.0.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.18.0...v3.19.0)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-07 01:30:01 +00:00
Federico Builes 6dfe5fd567 Force line-breaks. 2022-09-06 14:36:50 +02:00
Federico Builes 71a0ed0a31 Updating the README to include instructions for both config file options. 2022-09-06 14:30:39 +02:00
Federico Builes 7a364ecd6b Merge pull request #226 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.36.2
Bump @typescript-eslint/eslint-plugin from 5.36.1 to 5.36.2
2022-09-06 09:29:02 +02:00
dependabot[bot] 435083feb7 Bump @typescript-eslint/eslint-plugin from 5.36.1 to 5.36.2
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.36.1 to 5.36.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.2/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-06 07:28:29 +00:00
Federico Builes 781a55eaaa Merge pull request #227 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.36.2
Bump @typescript-eslint/parser from 5.36.1 to 5.36.2
2022-09-06 09:27:33 +02:00
dependabot[bot] 335c64c139 Bump @typescript-eslint/parser from 5.36.1 to 5.36.2
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.36.1 to 5.36.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.2/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-06 01:29:26 +00:00
Federico Builes af9a4fa160 Merge pull request #225 from actions/dependabot/npm_and_yarn/got-12.4.1
Bump got from 12.3.1 to 12.4.1
2022-09-05 15:47:15 +02:00
Federico Builes 3e04d4bc87 Merge pull request #224 from actions/dependabot/npm_and_yarn/types/node-16.11.57
Bump @types/node from 16.11.56 to 16.11.57
2022-09-05 15:47:07 +02:00
dependabot[bot] be076ebeca Bump got from 12.3.1 to 12.4.1
Bumps [got](https://github.com/sindresorhus/got) from 12.3.1 to 12.4.1.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.3.1...v12.4.1)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-05 12:50:09 +00:00
dependabot[bot] b74c52c335 Bump @types/node from 16.11.56 to 16.11.57
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.56 to 16.11.57.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-05 12:49:27 +00:00
Federico Builes 2233eb2b88 Merge pull request #222 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.36.1
Bump @typescript-eslint/parser from 5.36.0 to 5.36.1
2022-08-31 08:11:10 +02:00
dependabot[bot] ca11176434 Bump @typescript-eslint/parser from 5.36.0 to 5.36.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.36.0 to 5.36.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-31 06:09:50 +00:00
Federico Builes c8f5c5518e Merge pull request #221 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.36.1
Bump @typescript-eslint/eslint-plugin from 5.36.0 to 5.36.1
2022-08-31 08:09:04 +02:00
dependabot[bot] 469156603d Bump @typescript-eslint/eslint-plugin from 5.36.0 to 5.36.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.36.0 to 5.36.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-31 02:28:29 +00:00
Federico Builes 6b1d7e7207 Merge pull request #220 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.36.0
Bump @typescript-eslint/eslint-plugin from 5.35.1 to 5.36.0
2022-08-30 08:23:32 +02:00
dependabot[bot] a57a1dd454 Bump @typescript-eslint/eslint-plugin from 5.35.1 to 5.36.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.35.1 to 5.36.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-30 06:13:21 +00:00
Federico Builes 0e8bd1f46f Merge pull request #219 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.36.0
Bump @typescript-eslint/parser from 5.35.1 to 5.36.0
2022-08-30 08:12:25 +02:00
dependabot[bot] dd931c7005 Bump @typescript-eslint/parser from 5.35.1 to 5.36.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.35.1 to 5.36.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.36.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-30 01:39:32 +00:00
Federico Builes d8d78b6ace Merge pull request #218 from actions/dependabot/npm_and_yarn/eslint-8.23.0
Bump eslint from 8.22.0 to 8.23.0
2022-08-29 10:50:27 +02:00
dependabot[bot] a1eafc653a Bump eslint from 8.22.0 to 8.23.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.22.0 to 8.23.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.22.0...v8.23.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-29 08:49:31 +00:00
Federico Builes 35b0f5ded9 Merge pull request #217 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.0.1
Bump eslint-plugin-jest from 26.8.7 to 27.0.1
2022-08-29 10:49:01 +02:00
Federico Builes 5a25f0b1b3 Merge pull request #215 from actions/dependabot/npm_and_yarn/typescript-4.8.2
Bump typescript from 4.7.4 to 4.8.2
2022-08-29 10:31:12 +02:00
dependabot[bot] 88dd76a7ef Bump eslint-plugin-jest from 26.8.7 to 27.0.1
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.8.7 to 27.0.1.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.8.7...v27.0.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-29 01:55:23 +00:00
dependabot[bot] b1427bfe58 Bump typescript from 4.7.4 to 4.8.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.7.4 to 4.8.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.7.4...v4.8.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-26 01:36:36 +00:00
Federico Builes 0d079c6553 Merge pull request #214 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.35.1
Bump @typescript-eslint/parser from 5.34.0 to 5.35.1
2022-08-25 07:54:11 +02:00
dependabot[bot] ce3b0c8116 Bump @typescript-eslint/parser from 5.34.0 to 5.35.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.34.0 to 5.35.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.35.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-25 05:53:10 +00:00
Federico Builes d01dd09c36 Merge pull request #213 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.35.1
Bump @typescript-eslint/eslint-plugin from 5.34.0 to 5.35.1
2022-08-25 07:52:20 +02:00
dependabot[bot] 21d1a080df Bump @typescript-eslint/eslint-plugin from 5.34.0 to 5.35.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.34.0 to 5.35.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.35.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-25 05:49:54 +00:00
Federico Builes c869fcfa38 Merge pull request #212 from actions/dependabot/npm_and_yarn/types/node-16.11.56
Bump @types/node from 16.11.55 to 16.11.56
2022-08-25 07:49:19 +02:00
dependabot[bot] 20229aad71 Bump @types/node from 16.11.55 to 16.11.56
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.55 to 16.11.56.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-25 01:27:41 +00:00
Federico Builes 65d6c26087 Merge pull request #211 from actions/dependabot/npm_and_yarn/types/node-16.11.55
Bump @types/node from 16.11.54 to 16.11.55
2022-08-24 09:00:15 +02:00
dependabot[bot] 8b6795d89d Bump @types/node from 16.11.54 to 16.11.55
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.54 to 16.11.55.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 01:40:56 +00:00
Federico Builes 030c97ab49 Merge pull request #210 from actions/dependabot/npm_and_yarn/types/node-16.11.54
Bump @types/node from 16.11.52 to 16.11.54
2022-08-23 08:39:29 +02:00
Federico Builes dc44a85a96 Merge pull request #208 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.34.0
Bump @typescript-eslint/parser from 5.33.1 to 5.34.0
2022-08-23 08:38:58 +02:00
dependabot[bot] 9cdfbb83fa Bump @types/node from 16.11.52 to 16.11.54
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.52 to 16.11.54.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 06:38:16 +00:00
dependabot[bot] b1f8412445 Bump @typescript-eslint/parser from 5.33.1 to 5.34.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.33.1 to 5.34.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.34.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 06:38:02 +00:00
Federico Builes 0d02efb12c Merge pull request #207 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.34.0
Bump @typescript-eslint/eslint-plugin from 5.33.1 to 5.34.0
2022-08-23 08:37:24 +02:00
dependabot[bot] 2a09e52261 Bump @typescript-eslint/eslint-plugin from 5.33.1 to 5.34.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.33.1 to 5.34.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.34.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 01:35:02 +00:00
Federico Builes e86dfd8cc0 Merge pull request #206 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-26.8.7
Bump eslint-plugin-jest from 26.8.3 to 26.8.7
2022-08-22 08:10:22 +02:00
Federico Builes a39d9063b3 Merge pull request #205 from actions/dependabot/npm_and_yarn/types/node-16.11.52
Bump @types/node from 16.11.49 to 16.11.52
2022-08-22 08:09:56 +02:00
dependabot[bot] 9809e06c2d Bump eslint-plugin-jest from 26.8.3 to 26.8.7
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.8.3 to 26.8.7.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.8.3...v26.8.7)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-22 01:51:45 +00:00
dependabot[bot] 70bbe4186e Bump @types/node from 16.11.49 to 16.11.52
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.49 to 16.11.52.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-22 01:51:24 +00:00
Federico Builes 23d1ffffb6 Bumping to 2.1.0. 2022-08-18 16:22:01 +02:00
Federico Builes d792f3e8ca Add a reminder to update the version number in package.json
when creating a new release.
2022-08-18 16:20:03 +02:00
Federico Builes 5da7945e2b Fixing lint/dist. 2022-08-18 16:15:03 +02:00
Federico Builes a8e7c378a3 Merge pull request #181 from tspascoal/add-summary
Show vulnerabities and license information on the job summary.
2022-08-18 16:14:27 +02:00
Federico Builes 0e0d6ec5d6 Merge branch 'main' into add-summary 2022-08-18 16:11:15 +02:00
Tiago Pascoal 47f663b6ee update dist after fixing typo 2022-08-07 11:39:10 +00:00
Tiago Pascoal dfcdb87cb3 Fix typo
Co-authored-by: Eric Cornelissen <ericornelissen@gmail.com>
2022-08-07 12:36:42 +01:00
Tiago Pascoal 79f5aede88 Merge branch 'main' into add-summary 2022-08-04 16:59:57 +01:00
Tiago Pascoal aef949f026 Show vulnerabities and license information on the job summary.
Users can see the results that were found directly on the job summary

All the results are grouped by manifest.

It shows a table with vulnerable packages, together with package version,
the vulnerabily info and it's severity.

Shows info about package licenses, which packages have a non allowed license,
and the list of packages with unknown licenses.
2022-08-04 15:35:07 +00:00
22 changed files with 30031 additions and 1040 deletions
+1
View File
@@ -1,4 +1,5 @@
event.json
.ruby-version
# Dependency directory
node_modules
+26 -17
View File
@@ -1,4 +1,5 @@
# Contributing
[fork]: https://github.com/actions/dependency-review-action/fork
[pr]: https://github.com/actions/dependency-review-action/compare
[code-of-conduct]: CODE_OF_CONDUCT.md
@@ -9,7 +10,6 @@ Contributions to this project are
[released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license)
to the public under the [project's open source license](LICENSE).
Please note that this project is released with a [Contributor Code of
Conduct][code-of-conduct]. By participating in this project you agree
to abide by its terms.
@@ -20,7 +20,6 @@ This Action makes an authenticated query to the Dependency Graph Diff
API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)
to find out the set of added and removed dependencies for each manifest.
### Bootstrapping the project
```
@@ -35,7 +34,7 @@ npm install
npm run test
```
*Note*: We don't have any useful tests yet, contributions are welcome!
_Note_: We don't have any useful tests yet, contributions are welcome!
## Local Development
@@ -56,16 +55,24 @@ Like this:
$ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
```
[Configuration options](README.md#configuration-options) can be set by
passing an external YAML [configuration file](README.md#configuration-file) to the
`scan_pr` script with the `-c`/`--config-file` option:
```sh
$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url>
```
## Submitting a pull request
0. [Fork][fork] and clone the repository
0. Configure and install the dependencies: `npm install`
0. Make sure the tests pass on your machine: `npm run test`
0. Create a new branch: `git checkout -b my-branch-name`
0. Make your change, add tests, and make sure the tests still pass
0. Make sure to build and package before pushing: `npm run build && npm run package`
0. Push to your fork and [submit a pull request][pr]
0. Pat your self on the back and wait for your pull request to be reviewed and merged.
1. Configure and install the dependencies: `npm install`
2. Make sure the tests pass on your machine: `npm run test`
3. Create a new branch: `git checkout -b my-branch-name`
4. Make your change, add tests, and make sure the tests still pass
5. Make sure to build and package before pushing: `npm run build && npm run package`
6. Push to your fork and [submit a pull request][pr]
7. Pat your self on the back and wait for your pull request to be reviewed and merged.
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
@@ -75,22 +82,23 @@ Here are a few things you can do that will increase the likelihood of your pull
## Cutting a new release
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json).
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
2. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
1. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
3. Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
will be your version prefixed by a `v` (e.g. `v1.2.3`).
4. Use a version number for the release title (e.g. "1.2.3").
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
5. Add your release notes. If this is a major version make sure to
include a small description of the biggest changes in the new version.
include a small description of the biggest changes in the new version.
6. Click "Publish Release".
You now have a tag and release using the semver version you used
@@ -100,7 +108,8 @@ major version number (e.g. `v1`) in their workflows while
automatically getting all the
minor/patch updates.
To do this just force-create a new annotated tag and push it:
To do this just checkout `main`, force-create a new annotated tag, and push it:
```
git tag -fa v2 -m "Updating v2 to 2.3.4"
git push origin v2 --force
+163 -37
View File
@@ -5,8 +5,14 @@ raise an error if any vulnerabilities or invalid licenses are being introduced.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
You can see the results on the job logs
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
or on the job summary
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
## Installation
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
@@ -32,7 +38,7 @@ jobs:
### GitHub Enterprise Server
This action is available in GHES starting with version 3.6. Make sure
This action is available in Enterprise Server starting with version 3.6. Make sure
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
@@ -44,7 +50,6 @@ with the label of any of your runners (the default label
is `self-hosted`):
```yaml
# ...
jobs:
@@ -59,9 +64,144 @@ jobs:
## Configuration
You can pass additional options to the Dependency Review
Action using your workflow file. Here's an example workflow with
all the possible configurations:
Configure this action by either using an external configuration file,
or by inlining these options in your workflow file.
## Configuration Options
### config-file
A string representing the path to an external configuraton file. By
default external configuration files are not used.
**Possible values**: A string representing the absolute path to the
configuration file.
**Example**: `config-file: ./.github/dependency-review-config.yml`.
### fail-on-severity
Configure the severity level for alerting. See "[Vulnerability Severity](https://github.com/actions/dependency-review-action#vulnerability-severity)".
**Possible values**: `critical`, `high`, `moderate`, `low`.
**Example**: `fail-on-severity: moderate`.
### fail-on-scopes
A list of strings representing the build environments you want to
support. The default value is `development, runtime`.
**Possible values**: `development`, `runtime`, `unknown`
**Inline example**: `fail-on-scopes: development, runtime`
**YAML example**:
```yaml
# this prevents scanning development dependencies
fail-on-scopes:
- runtime
```
### allow-licenses
Only allow the licenses in this list. See "[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `allow-licenses: BSD-3-Clause, MIT`
**YAML example**:
```yaml
allow-licenses:
- BSD-3-Clause
- MIT
```
### deny-licenses
Add a custom list of licenses you want to block. See
"[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `deny-licenses: LGPL-2.0, BSD-2-Clause`
**YAML example**:
```yaml
deny-licenses:
- LGPL-2.0
- BSD-2-Clause
```
### allow-ghsas
Add a custom list of GitHub Advisory IDs that can be skipped during detection.
**Possible values**: Any valid advisory GHSA ids.
**Inline example**: `allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679`
**YAML example**:
```yaml
allow-ghsas:
- GHSA-abcd-1234-5679
- GHSA-efgh-1234-5679
```
### base-ref/head-ref
Provide custom git references for the git base/head when performing
the comparison. If you are using pull requests, or
`pull_request_target` events you do not need to worry about setting
this. The values need to be specified for all other event types.
**Possible values**: Any valid git ref(s) in your project.
**Example**:
```yaml
base-ref: 8bb8a58d6a4028b6c2e314d5caaf273f57644896
head-ref: 69af5638bf660cf218aad5709a4c100e42a2f37b
```
### Configuration File
You can use an external configuration file to specify the settings for
this Action.
Start by specifying that you will be using an external configuration
file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
config-file: './.github/dependency-review-config.yml'
```
And then create the file in the path you just specified. **All of these fields are
optional**:
```yaml
fail-on-severity: 'critical'
allow-licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
### Inline Configuration
You can pass options to the Dependency Review
Action using your workflow file. Here's an example of what the full
file would look like:
```yaml
name: 'Dependency Review'
@@ -77,26 +217,11 @@ jobs:
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# Possible values: Any available git ref
# base-ref: ${{ github.event.pull_request.base.ref }}
# head-ref: ${{ github.event.pull_request.head.ref }}
#
# You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on GHES.
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# deny-licenses: LGPL-2.0, BSD-2-Clause
```
fail-on-severity: moderate
When the workflow with this action is caused by a `pull_request` or `pull_request_target` event,
the `base-ref` and `head-ref` values have the defaults as shown above. If the workflow is caused by
any other event, the `base-ref` and `head-ref` options must be
explicitly set in the configuration file.
# Use comma-separated names to pass list arguments:
deny-licenses: LGPL-2.0, BSD-2-Clause
```
### Vulnerability Severity
@@ -114,12 +239,23 @@ This example will only fail on pull requests with `critical` and `high` vulnerab
fail-on-severity: high
```
### Dependency Scoping
By default the action will only fail on `runtime` dependencies that have vulnerabilities or unacceptable licenses, ignoring `development` dependencies. You can override this behavior with the `fail-on-scopes` option, which will allow you to list the specific dependency scopes you care about. The possible values are: `unknown`, `runtime`, and `development`. Note: Filtering by scope will not be supported on Enterprise Server just yet, as the REST API's introduction of `scope` will be released in an upcoming Enterprise Server version. We will treat all dependencies on Enterprise Server as having a `runtime` scope and thus will not be filtered away.
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-scopes: runtime, development
```
### Licenses
You can set the action to fail on pull requests based on the licenses of the dependencies
they introduce. With `allow-licenses` you can define the list of licenses
your repository will accept. Alternatively, you can use `deny-licenses` to only
forbid a subset of licenses. These options are not supported on GHES.
forbid a subset of licenses. These options are not supported on Enterprise Server.
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
@@ -142,9 +278,9 @@ to filter. A couple of examples:
deny-licenses: Apache-1.1, Apache-2.0
```
**Important**
### Considerations
<<<<<<< HEAD
- Checking for licenses is not supported on Enterprise Server.
- The action will only accept one of the two parameters; an error will
be raised if you provide both.
- By default both parameters are empty (no license checking is
@@ -152,16 +288,6 @@ to filter. A couple of examples:
- We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
=======
* Checking for licenses is not supported on GHES.
* The action will only accept one of the two parameters; an error will
be raised if you provide both.
* By default both parameters are empty (no license checking is
performed).
* We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
>>>>>>> main
## Blocking pull requests
+94 -1
View File
@@ -1,5 +1,5 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {readConfig, readConfigFile} from '../src/config'
import {getRefs} from '../src/git-refs'
// GitHub Action inputs come in the form of environment variables
@@ -13,8 +13,11 @@ function setInput(input: string, value: string) {
function clearInputs() {
const allowedOptions = [
'FAIL-ON-SEVERITY',
'FAIL-ON-SCOPES',
'ALLOW-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF'
]
@@ -82,3 +85,93 @@ test('it raises an error when no refs are provided and the event is not a pull r
})
).toThrow()
})
test('it reads an external config file', async () => {
let options = readConfigFile('./__tests__/fixtures/config-allow-sample.yml')
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('raises an error when the the config file was not found', async () => {
expect(() => readConfigFile('fixtures/i-dont-exist')).toThrow()
})
test('it parses options from both sources', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
let options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
setInput('base-ref', 'a-custom-base-ref')
options = readConfig()
expect(options.base_ref).toEqual('a-custom-base-ref')
})
test('in case of conflicts, the external config is the source of truth', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml') // this will set fail-on-severity to 'critical'
let options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
// this should not overwite the previous value
setInput('fail-on-severity', 'low')
options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
})
test('it uses the default values when loading external files', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
let options = readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
setInput('config-file', './__tests__/fixtures/license-config-sample.yml')
options = readConfig()
expect(options.fail_on_severity).toEqual('low')
})
test('it accepts an external configuration filename', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
const options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
})
test('it raises an error when given an unknown severity in an external config file', async () => {
setInput('config-file', './__tests__/fixtures/invalid-severity-config.yml')
expect(() => readConfig()).toThrow()
})
test('it defaults to runtime scope', async () => {
const options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime'])
})
test('it parses custom scopes preference', async () => {
setInput('fail-on-scopes', 'runtime, development')
let options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime', 'development'])
clearInputs()
setInput('fail-on-scopes', 'development')
options = readConfig()
expect(options.fail_on_scopes).toEqual(['development'])
})
test('it raises an error when given invalid scope', async () => {
setInput('fail-on-scopes', 'runtime, zombies')
expect(() => readConfig()).toThrow()
})
test('it defaults to an empty GHSA allowlist', async () => {
const options = readConfig()
expect(options.allow_ghsas).toEqual(undefined)
})
test('it successfully parses GHSA allowlist', async () => {
setInput('allow-ghsas', 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679')
const options = readConfig()
expect(options.allow_ghsas).toEqual([
'GHSA-abcd-1234-5679',
'GHSA-efgh-1234-5679'
])
})
+65 -1
View File
@@ -1,6 +1,10 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {filterChangesBySeverity} from '../src/filter'
import {
filterChangesBySeverity,
filterChangesByScopes,
filterAllowedAdvisories
} from '../src/filter'
let npmChange: Change = {
manifest: 'package.json',
@@ -11,6 +15,7 @@ let npmChange: Change = {
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
@@ -30,6 +35,7 @@ let rubyChange: Change = {
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'development',
vulnerabilities: [
{
severity: 'moderate',
@@ -46,6 +52,19 @@ let rubyChange: Change = {
]
}
let noVulnNpmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'helpful',
version: '1.0.0',
package_url: 'pkg:npm/helpful@1.0.0',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: []
}
test('it properly filters changes by severity', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesBySeverity('high', changes)
@@ -57,3 +76,48 @@ test('it properly filters changes by severity', async () => {
result = filterChangesBySeverity('critical', changes)
expect(changes).toEqual([npmChange, rubyChange])
})
test('it properly filters changes by scope', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesByScopes(['runtime'], changes)
expect(result).toEqual([npmChange])
result = filterChangesByScopes(['development'], changes)
expect(result).toEqual([rubyChange])
result = filterChangesByScopes(['runtime', 'development'], changes)
expect(result).toEqual([npmChange, rubyChange])
})
test('it properly handles undefined advisory IDs', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterAllowedAdvisories(undefined, changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
test('it properly filters changes with allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
result = filterAllowedAdvisories(['first-random_string'], changes)
expect(result).toEqual([rubyChange, noVulnNpmChange])
result = filterAllowedAdvisories(
['second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([npmChange, noVulnNpmChange])
result = filterAllowedAdvisories(
['first-random_string', 'second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([noVulnNpmChange])
// if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change
result = filterAllowedAdvisories(['second-random_string'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
@@ -0,0 +1,3 @@
fail-on-severity: 'so many zombies'
deny-licenses:
- MIT
@@ -0,0 +1 @@
allow_licenses: ['MIT', 'GPL 2']
+80 -7
View File
@@ -1,4 +1,4 @@
import {expect, test} from '@jest/globals'
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {getDeniedLicenseChanges} from '../src/licenses'
@@ -11,6 +11,7 @@ let npmChange: Change = {
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
@@ -30,6 +31,7 @@ let rubyChange: Change = {
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
@@ -46,15 +48,41 @@ let rubyChange: Change = {
]
}
jest.mock('@actions/core')
const mockOctokit = {
rest: {
licenses: {
getForRepo: jest
.fn()
.mockReturnValue({data: {license: {spdx_id: 'AGPL'}}})
}
}
}
jest.mock('octokit', () => {
return {
Octokit: class {
constructor() {
return mockOctokit
}
}
}
})
test('it fails if a license outside the allow list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
const [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
allow: ['BSD']
})
expect(invalidChanges[0]).toBe(npmChange)
})
test('it fails if a license inside the deny list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
const [invalidChanges] = await getDeniedLicenseChanges(changes, {
deny: ['BSD']
})
expect(invalidChanges[0]).toBe(rubyChange)
})
@@ -62,7 +90,7 @@ test('it fails if a license inside the deny list is found', async () => {
// thing we want in the system. Please remove this test after refactoring.
test('it fails all license checks when allow is provided an empty array', async () => {
const changes: Changes = [npmChange, rubyChange]
let [invalidChanges, _] = getDeniedLicenseChanges(changes, {
let [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
allow: [],
deny: ['BSD']
})
@@ -74,7 +102,9 @@ test('it does not fail if a license outside the allow list is found in removed c
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
const [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
allow: ['BSD']
})
expect(invalidChanges).toStrictEqual([])
})
@@ -83,7 +113,9 @@ test('it does not fail if a license inside the deny list is found in removed cha
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
const [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
deny: ['BSD']
})
expect(invalidChanges).toStrictEqual([])
})
@@ -93,6 +125,47 @@ test('it fails if a license outside the allow list is found in both of added and
npmChange,
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
const [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
allow: ['BSD']
})
expect(invalidChanges).toStrictEqual([npmChange])
})
describe('GH License API fallback', () => {
test('it calls licenses endpoint if atleast one of the changes has null license and valid source_repository_url', async () => {
const nullLicenseChange = {
...npmChange,
license: null,
source_repository_url: 'http://github.com/some-owner/some-repo'
}
const [_, unknownChanges] = await getDeniedLicenseChanges(
[nullLicenseChange, rubyChange],
{}
)
expect(mockOctokit.rest.licenses.getForRepo).toHaveBeenNthCalledWith(1, {
owner: 'some-owner',
repo: 'some-repo'
})
expect(unknownChanges.length).toEqual(0)
})
test('it does not call licenses API endpoint for change with null license and invalid source_repository_url ', async () => {
const [_, unknownChanges] = await getDeniedLicenseChanges(
[{...npmChange, license: null}],
{}
)
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unknownChanges.length).toEqual(1)
})
test('it does not call licenses API endpoint if licenses for all changes are present', async () => {
const [_, unknownChanges] = await getDeniedLicenseChanges(
[npmChange, rubyChange],
{}
)
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unknownChanges.length).toEqual(0)
})
})
+10
View File
@@ -10,18 +10,28 @@ inputs:
description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
required: false
default: 'low'
fail-on-scopes:
description: Dependency scopes to block PRs on. Comma-separated list. Possible values are 'unknown', 'runtime', and 'development' (e.g. "runtime, development")
required: false
default: 'runtime'
base-ref:
description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
required: false
head-ref:
description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
required: false
config-file:
description: A filepath to the configuration file for the action.
required: false
allow-licenses:
description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
deny-licenses:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-ghsas:
description: Comma-separated list of allowed Github Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+25539 -305
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1066
View File
File diff suppressed because it is too large Load Diff
+2390 -580
View File
File diff suppressed because it is too large Load Diff
+19 -17
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "2.0.4",
"version": "2.5.1",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,30 +25,32 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.9.1",
"@actions/github": "^5.0.3",
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/request-error": "^3.0.1",
"ansi-styles": "^6.1.0",
"got": "^12.3.1",
"nodemon": "^2.0.19",
"yaml": "^2.1.1",
"zod": "^3.18.0"
"@octokit/request-error": "^3.0.2",
"ansi-styles": "^6.2.1",
"got": "^12.5.2",
"nodemon": "^2.0.20",
"octokit": "^2.0.9",
"yaml": "^2.1.3",
"zod": "^3.19.1"
},
"devDependencies": {
"@types/node": "^16.11.49",
"@typescript-eslint/eslint-plugin": "^5.33.1",
"@typescript-eslint/parser": "^5.33.1",
"@types/jest": "^27.5.2",
"@types/node": "^16.18.0",
"@typescript-eslint/eslint-plugin": "^5.40.1",
"@typescript-eslint/parser": "^5.40.1",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.22.0",
"eslint-plugin-github": "^4.3.7",
"eslint-plugin-jest": "^26.8.3",
"eslint": "^8.26.0",
"eslint-plugin-github": "^4.4.0",
"eslint-plugin-jest": "^27.1.3",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.19",
"nodemon": "^2.0.20",
"prettier": "2.7.1",
"ts-jest": "^27.1.4",
"typescript": "^4.7.4"
"typescript": "^4.8.4"
}
}
+48 -9
View File
@@ -3,22 +3,52 @@ require 'json'
require 'tempfile'
require 'open3'
require 'bundler/inline'
require 'optparse'
gemfile do
source 'https://rubygems.org'
gem 'octokit'
end
config_file = nil
github_token = ENV["GITHUB_TOKEN"]
if !github_token || github_token.empty?
puts "Please set the GITHUB_TOKEN environment variable"
exit -1
end
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV[0])
op = OptionParser.new do |opts|
usage = <<EOF
Run Dependency Review on a repository.
\e[1mUsage:\e[22m
scripts/scan_pr [options] <pr_url>
\e[1mExample:\e[22m
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
EOF
opts.banner = usage
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
config_file = cf
end
opts.on("-h", "--help", "Prints this help") do
puts opts
exit
end
end
op.parse!
# make sure we have a NWO somewhere in the parameters
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV.join(" "))
if arg.nil?
puts "Usage: script/scan_pr <pr_url>"
puts op
exit -1
end
@@ -32,17 +62,26 @@ event_file = Tempfile.new
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
event_file.close
dev_cmd_env = {
"INPUT_REPO-TOKEN" => github_token,
"GITHUB_REPOSITORY" => repo_nwo,
"GITHUB_EVENT_NAME" => "pull_request",
"GITHUB_EVENT_PATH" => event_file.path
action_inputs = {
"repo-token": github_token,
"config-file": config_file
}
dev_cmd = "./node_modules/.bin/nodemon --exec \"node -r esbuild-register\" src/main.ts"
dev_cmd_env = {
"GITHUB_REPOSITORY" => repo_nwo,
"GITHUB_EVENT_NAME" => "pull_request",
"GITHUB_EVENT_PATH" => event_file.path,
"GITHUB_STEP_SUMMARY" => "/dev/null"
}
# bash does not like variable names with dashes like the ones Actions
# uses (e.g. INPUT_REPO-TOKEN). Passing them through `env` instead of
# manually setting them does the job.
action_inputs_env_str = action_inputs.map { |name, value| "\"INPUT_#{name.upcase}=#{value}\"" }.join(" ")
dev_cmd = "./node_modules/.bin/nodemon --exec \"env #{action_inputs_env_str} node -r esbuild-register\" src/main.ts"
Open3.popen2e(dev_cmd_env, dev_cmd) do |stdin, out|
while line = out.gets
puts line
puts line.gsub(github_token, "<REDACTED>")
end
end
+69 -9
View File
@@ -1,32 +1,92 @@
import * as fs from 'fs'
import path from 'path'
import YAML from 'yaml'
import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, SEVERITIES} from './schemas'
import {
ConfigurationOptions,
ConfigurationOptionsSchema,
SeveritySchema,
SCOPES
} from './schemas'
function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name)
return value.length > 0 ? value : undefined
}
function parseList(list: string | undefined): string[] | undefined {
if (list === undefined) {
return list
} else {
return list.split(',').map(x => x.trim())
}
}
export function readConfig(): ConfigurationOptions {
const fail_on_severity = z
.enum(SEVERITIES)
.default('low')
.parse(getOptionalInput('fail-on-severity'))
const allow_licenses = getOptionalInput('allow-licenses')
const deny_licenses = getOptionalInput('deny-licenses')
const externalConfig = getOptionalInput('config-file')
if (externalConfig !== undefined) {
const config = readConfigFile(externalConfig)
// the reasoning behind reading the inline config when an external
// config file is provided is that we still want to allow users to
// pass inline options in the presence of an external config file.
const inlineConfig = readInlineConfig()
// the external config takes precedence
return Object.assign({}, inlineConfig, config)
} else {
return readInlineConfig()
}
}
export function readInlineConfig(): ConfigurationOptions {
const fail_on_severity = SeveritySchema.parse(
getOptionalInput('fail-on-severity')
)
const fail_on_scopes = z
.array(z.enum(SCOPES))
.default(['runtime'])
.parse(parseList(getOptionalInput('fail-on-scopes')))
const allow_licenses = parseList(getOptionalInput('allow-licenses'))
const deny_licenses = parseList(getOptionalInput('deny-licenses'))
if (allow_licenses !== undefined && deny_licenses !== undefined) {
throw new Error("Can't specify both allow_licenses and deny_licenses")
}
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
return {
fail_on_severity,
allow_licenses: allow_licenses?.split(',').map(x => x.trim()),
deny_licenses: deny_licenses?.split(',').map(x => x.trim()),
fail_on_scopes,
allow_licenses,
deny_licenses,
allow_ghsas,
base_ref,
head_ref
}
}
export function readConfigFile(filePath: string): ConfigurationOptions {
let data
try {
data = fs.readFileSync(path.resolve(filePath), 'utf-8')
} catch (error: unknown) {
throw error
}
data = YAML.parse(data)
// get rid of the ugly dashes from the actions conventions
for (const key of Object.keys(data)) {
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
delete data[key]
}
}
const values = ConfigurationOptionsSchema.parse(data)
return values
}
+58 -1
View File
@@ -1,4 +1,4 @@
import {Changes, Severity, SEVERITIES} from './schemas'
import {Changes, Severity, SEVERITIES, Scope} from './schemas'
export function filterChangesBySeverity(
severity: Severity,
@@ -33,3 +33,60 @@ export function filterChangesBySeverity(
)
return filteredChanges
}
export function filterChangesByScopes(
scopes: Scope[] | undefined,
changes: Changes
): Changes {
if (scopes === undefined) {
return []
}
const filteredChanges = changes.filter(change => {
// if there is no scope on the change (Enterprise Server API for now), we will assume it is a runtime scope
const scope = change.scope || 'runtime'
return scopes.includes(scope)
})
return filteredChanges
}
/**
* Filter out changes that are allowed by the allow_ghsas config
* option. We want to remove these changes before we do any
* processing.
* @param ghsas - list of GHSA IDs to allow
* @param changes - list of changes to filter
* @returns a list of changes with the allowed GHSAs removed
*/
export function filterAllowedAdvisories(
ghsas: string[] | undefined,
changes: Changes
): Changes {
if (ghsas === undefined) {
return changes
}
const filteredChanges = changes.filter(change => {
const noAdvisories =
change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0
if (noAdvisories) {
return true
}
let allAllowedAdvisories = true
// if there's at least one advisory that is not allowlisted, we will keep the change
for (const vulnerability of change.vulnerabilities) {
if (!ghsas.includes(vulnerability.advisory_ghsa_id)) {
allAllowedAdvisories = false
}
if (!allAllowedAdvisories) {
return true
}
}
})
return filteredChanges
}
+65 -4
View File
@@ -1,3 +1,5 @@
import * as core from '@actions/core'
import {Octokit} from 'octokit'
import {Change} from './schemas'
/**
@@ -10,21 +12,27 @@ import {Change} from './schemas'
* we will ignore the deny list.
* @param {Change[]} changes The list of changes to filter.
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
* @returns {[Array<Change>, Array<Change]} A tuple where the first element is the list of denied changes and the second one is the list of changes with unknown licenses
* @returns {Promise<[Array.<Change>, Array.<Change>]>} A promise to a 2 element tuple. The first element is the list of denied changes and the second one is the list of changes with unknown licenses
*/
export function getDeniedLicenseChanges(
export async function getDeniedLicenseChanges(
changes: Change[],
licenses: {
allow?: string[]
deny?: string[]
}
): [Change[], Change[]] {
): Promise<[Change[], Change[]]> {
const {allow, deny} = licenses
const disallowed: Change[] = []
const unknown: Change[] = []
for (const change of changes) {
const consolidatedChanges = changes.some(
({source_repository_url, license}) => !license && source_repository_url
)
? await setGHLicenses(changes)
: changes
for (const change of consolidatedChanges) {
if (change.change_type === 'removed') {
continue
}
@@ -47,3 +55,56 @@ export function getDeniedLicenseChanges(
return [disallowed, unknown]
}
const fetchGHLicense = async (
owner: string,
repo: string
): Promise<string | null> => {
const octokit = new Octokit({
auth: core.getInput('repo-token', {required: true})
})
try {
const response = await octokit.rest.licenses.getForRepo({owner, repo})
return response.data.license?.spdx_id ?? null
} catch (_) {
return null
}
}
const parseGitHubURL = (url: string): {owner: string; repo: string} | null => {
try {
const parsed = new URL(url)
if (parsed.host !== 'github.com') {
return null
}
const components = parsed.pathname.split('/')
if (components.length < 3) {
return null
}
return {owner: components[1], repo: components[2]}
} catch (_) {
return null
}
}
const setGHLicenses = async (changes: Change[]): Promise<Change[]> => {
const updatedChanges = changes.map(async change => {
if (change.license !== null || change.source_repository_url === null) {
return change
}
const githubUrl = parseGitHubURL(change.source_repository_url)
if (githubUrl === null) {
return change
}
return {
...change,
license: await fetchGHLicense(githubUrl.owner, githubUrl.repo)
}
})
return Promise.all(updatedChanges)
}
+121 -48
View File
@@ -3,12 +3,19 @@ import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, Severity} from './schemas'
import {Change, Severity, Changes} from './schemas'
import {readConfig} from '../src/config'
import {filterChangesBySeverity} from '../src/filter'
import {
filterChangesBySeverity,
filterChangesByScopes,
filterAllowedAdvisories
} from '../src/filter'
import {getDeniedLicenseChanges} from './licenses'
import * as summary from './summary'
import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
async function run(): Promise<void> {
try {
const config = readConfig()
@@ -21,49 +28,39 @@ async function run(): Promise<void> {
headRef: refs.head
})
const minSeverity = config.fail_on_severity
let failed = false
const licenses = {
allow: config.allow_licenses,
deny: config.deny_licenses
}
const filteredChanges = filterChangesBySeverity(
minSeverity as Severity,
changes
const minSeverity = config.fail_on_severity as Severity
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
const filteredChanges = filterAllowedAdvisories(
config.allow_ghsas,
scopedChanges
)
for (const change of filteredChanges) {
if (
const addedChanges = filterChangesBySeverity(
minSeverity,
filteredChanges
).filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
) {
printChangeVulnerabilities(change)
failed = true
}
}
const [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
changes,
licenses
)
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors)
core.setFailed('Dependency review detected incompatible licenses.')
}
const [licenseErrors, unknownLicenses] = await getDeniedLicenseChanges(
filteredChanges,
{
allow: config.allow_licenses,
deny: config.deny_licenses
}
)
printNullLicenses(unknownLicenses)
summary.addSummaryToSummary(addedChanges, licenseErrors, unknownLicenses)
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
summary.addLicensesToSummary(licenseErrors, unknownLicenses, config)
summary.addScannedDependencies(changes)
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
printVulnerabilitiesBlock(addedChanges, minSeverity)
printLicensesBlock(licenseErrors, unknownLicenses)
printScannedDependencies(changes)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
@@ -80,9 +77,34 @@ async function run(): Promise<void> {
core.setFailed('Unexpected fatal error')
}
}
} finally {
await core.summary.write()
}
}
function printVulnerabilitiesBlock(
addedChanges: Change[],
minSeverity: Severity
): void {
let failed = false
core.group('Vulnerabilities', async () => {
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
failed = true
}
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
})
}
function printChangeVulnerabilities(change: Change): void {
for (const vuln of change.vulnerabilities) {
core.info(
@@ -96,18 +118,17 @@ function printChangeVulnerabilities(change: Change): void {
}
}
function renderSeverity(
severity: 'critical' | 'high' | 'moderate' | 'low'
): string {
const color = (
{
critical: 'red',
high: 'red',
moderate: 'yellow',
low: 'grey'
} as const
)[severity]
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
function printLicensesBlock(
licenseErrors: Change[],
unknownLicenses: Change[]
): void {
core.group('Licenses', async () => {
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors)
core.setFailed('Dependency review detected incompatible licenses.')
}
printNullLicenses(unknownLicenses)
})
}
function printLicensesError(changes: Change[]): void {
@@ -136,4 +157,56 @@ function printNullLicenses(changes: Change[]): void {
}
}
function renderSeverity(
severity: 'critical' | 'high' | 'moderate' | 'low'
): string {
const color = (
{
critical: 'red',
high: 'red',
moderate: 'yellow',
low: 'grey'
} as const
)[severity]
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
}
function renderScannedDependency(change: Change): string {
const changeType: string = change.change_type
if (changeType !== 'added' && changeType !== 'removed') {
throw new Error(`Unexpected change type: ${changeType}`)
}
const color = (
{
added: 'green',
removed: 'red'
} as const
)[changeType]
const icon = (
{
added: '+',
removed: '-'
} as const
)[changeType]
return `${styles.color[color].open}${icon} ${change.name}@${change.version}${styles.color[color].close}`
}
function printScannedDependencies(changes: Changes): void {
core.group('Dependency Changes', async () => {
const dependencies = groupDependenciesByManifest(changes)
for (const manifestName of dependencies.keys()) {
const manifestChanges = dependencies.get(manifestName) || []
core.info(`File: ${styles.bold.open}${manifestName}${styles.bold.close}`)
for (const change of manifestChanges) {
core.info(`${renderScannedDependency(change)}`)
}
}
})
}
run()
+11 -3
View File
@@ -1,6 +1,9 @@
import * as z from 'zod'
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
export const SCOPES = ['unknown', 'runtime', 'development'] as const
export const SeveritySchema = z.enum(SEVERITIES).default('low')
export const ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
@@ -11,10 +14,11 @@ export const ChangeSchema = z.object({
package_url: z.string(),
license: z.string().nullable(),
source_repository_url: z.string().nullable(),
scope: z.enum(SCOPES).optional(),
vulnerabilities: z
.array(
z.object({
severity: z.enum(['critical', 'high', 'moderate', 'low']),
severity: SeveritySchema,
advisory_ghsa_id: z.string(),
advisory_summary: z.string(),
advisory_url: z.string()
@@ -32,9 +36,12 @@ export const PullRequestSchema = z.object({
export const ConfigurationOptionsSchema = z
.object({
fail_on_severity: z.enum(SEVERITIES).default('low'),
fail_on_severity: SeveritySchema,
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).default([]),
deny_licenses: z.array(z.string()).default([]),
allow_ghsas: z.array(z.string()).default([]),
config_file: z.string().optional().default('false'),
base_ref: z.string(),
head_ref: z.string()
})
@@ -49,4 +56,5 @@ export const ChangesSchema = z.array(ChangeSchema)
export type Change = z.infer<typeof ChangeSchema>
export type Changes = z.infer<typeof ChangesSchema>
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
export type Severity = typeof SEVERITIES[number]
export type Severity = z.infer<typeof SeveritySchema>
export type Scope = typeof SCOPES[number]
+171
View File
@@ -0,0 +1,171 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Change, Changes} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
export function addSummaryToSummary(
addedPackages: Changes,
licenseErrors: Change[],
unknownLicenses: Change[]
): void {
core.summary
.addHeading('Dependency Review')
.addRaw(
`We found ${addedPackages.length} vulnerable package(s), ${licenseErrors.length} package(s) with incompatible licenses, and ${unknownLicenses.length} package(s) with unknown licenses.`
)
}
export function addChangeVulnerabilitiesToSummary(
addedPackages: Changes,
severity: string
): void {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(addedPackages)
core.summary
.addHeading('Vulnerabilities')
.addQuote(
`Vulnerabilites were filtered by mininum severity <strong>${severity}</strong>.`
)
if (addedPackages.length === 0) {
core.summary.addQuote('No vulnerabilities found in added packages.')
return
}
for (const manifest of manifests) {
for (const change of addedPackages.filter(
pkg => pkg.manifest === manifest
)) {
let previous_package = ''
let previous_version = ''
for (const vuln of change.vulnerabilities) {
const sameAsPrevious =
previous_package === change.name &&
previous_version === change.version
if (!sameAsPrevious) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version,
renderUrl(vuln.advisory_url, vuln.advisory_summary),
vuln.severity
])
} else {
rows.push([
{data: '', colspan: '2'},
renderUrl(vuln.advisory_url, vuln.advisory_summary),
vuln.severity
])
}
previous_package = change.name
previous_version = change.version
}
}
core.summary.addHeading(`<em>${manifest}</em>`, 3).addTable([
[
{data: 'Name', header: true},
{data: 'Version', header: true},
{data: 'Vulnerability', header: true},
{data: 'Severity', header: true}
],
...rows
])
}
}
export function addLicensesToSummary(
licenseErrors: Change[],
unknownLicenses: Change[],
config: ConfigurationOptions
): void {
core.summary.addHeading('Licenses')
if (config.allow_licenses && config.allow_licenses.length > 0) {
core.summary.addQuote(
`<strong>Allowed Licenses</strong>: ${config.allow_licenses.join(', ')}`
)
}
if (config.deny_licenses && config.deny_licenses.length > 0) {
core.summary.addQuote(
`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`
)
}
if (licenseErrors.length === 0 && unknownLicenses.length === 0) {
core.summary.addQuote('No license violations detected.')
return
}
if (licenseErrors.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(licenseErrors)
core.summary.addHeading('Incompatible Licenses', 3).addSeparator()
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4)
for (const change of licenseErrors.filter(
pkg => pkg.manifest === manifest
)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version,
change.license || ''
])
}
core.summary.addTable([['Package', 'Version', 'License'], ...rows])
}
} else {
core.summary.addQuote('No license violations detected.')
}
core.debug(`found ${unknownLicenses.length} unknown licenses`)
if (unknownLicenses.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(unknownLicenses)
core.debug(
`found ${manifests.entries.length} manifests for unknown licenses`
)
core.summary.addHeading('Unknown Licenses', 3).addSeparator()
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4)
for (const change of unknownLicenses.filter(
pkg => pkg.manifest === manifest
)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version
])
}
core.summary.addTable([['Package', 'Version'], ...rows])
}
}
}
export function addScannedDependencies(changes: Changes): void {
const dependencies = groupDependenciesByManifest(changes)
const manifests = dependencies.keys()
const summary = core.summary
.addHeading('Scanned Dependencies')
.addRaw(`We scanned ${dependencies.size} manifest files:`)
for (const manifest of manifests) {
const deps = dependencies.get(manifest)
if (deps) {
const dependencyNames = deps.map(
dependency => `<li>${dependency.name}@${dependency.version}</li>`
)
summary.addRaw(`<h3>${manifest}</h3><ul>${dependencyNames.join('')}</ul>`)
}
}
}
+30
View File
@@ -0,0 +1,30 @@
import {Changes} from './schemas'
export function groupDependenciesByManifest(
changes: Changes
): Map<string, Changes> {
const dependencies: Map<string, Changes> = new Map()
for (const change of changes) {
const manifestName = change.manifest
if (dependencies.get(manifestName) === undefined) {
dependencies.set(manifestName, [])
}
dependencies.get(manifestName)?.push(change)
}
return dependencies
}
export function getManifestsSet(changes: Changes): Set<string> {
return new Set(changes.flatMap(c => c.manifest))
}
export function renderUrl(url: string | null, text: string): string {
if (url) {
return `<a href="${url}">${text}</a>`
} else {
return text
}
}