Compare commits

..

204 Commits

Author SHA1 Message Date
Federico Builes f3f3519b2a Merge branch 'main' into move-config-file 2022-06-15 06:43:18 +02:00
Federico Builes 216910dd9a Merge pull request #113 from actions/dependabot/npm_and_yarn/prettier-2.7.0
Bump prettier from 2.6.2 to 2.7.0
2022-06-15 06:42:57 +02:00
dependabot[bot] eb561ba6bd Bump prettier from 2.6.2 to 2.7.0
Bumps [prettier](https://github.com/prettier/prettier) from 2.6.2 to 2.7.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.6.2...2.7.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-15 03:36:59 +00:00
Federico Builes 3f246861d8 Merge pull request #114 from actions/dependabot/npm_and_yarn/types/node-17.0.43
Bump @types/node from 17.0.42 to 17.0.43
2022-06-15 05:36:17 +02:00
Federico Builes faa63c3cba adding dist 2022-06-15 05:21:16 +02:00
Courtney Claessens dfd519642f Update schemas.ts 2022-06-14 22:37:00 -04:00
Courtney Claessens 871f4064a1 adding doc for protected branches 2022-06-14 22:32:34 -04:00
dependabot[bot] d6f6abdda3 Bump @types/node from 17.0.42 to 17.0.43
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.42 to 17.0.43.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-15 01:44:34 +00:00
Courtney Claessens 54764c9203 Update README.md
adding some clarity to failing on severity; naming formatting, update example for v2
2022-06-14 12:16:03 -04:00
Federico Builes c6587b663d Updating README with instructions for unknown licenses. 2022-06-14 14:11:01 +02:00
Federico Builes 42e2bc1ed2 Handle unknown licenses. 2022-06-14 13:54:27 +02:00
Federico Builes 0b87f02bee Document how we test inputs 2022-06-14 13:00:18 +02:00
Federico Builes 00be2ce1fc Typos. 2022-06-14 12:27:56 +02:00
Federico Builes 2860b57e48 Update README.md 2022-06-14 12:24:27 +02:00
Federico Builes fd6e756c7b Updating readConfig() to be more readable, get rid of typecasts.
Co-authored-by: Henri Maurer <hmaurer@github.com>
2022-06-14 11:29:13 +02:00
Federico Builes f83a407eb9 Use the correct name for allowlists. 2022-06-14 09:46:59 +02:00
Federico Builes b0e1f384d7 Linting YAML 2022-06-14 09:05:05 +02:00
Federico Builes c973154c92 Dashes instead of underscores. 2022-06-14 07:50:25 +02:00
Federico Builes 3355ec4be5 adding dist 2022-06-14 07:44:17 +02:00
Federico Builes 76ad37608d Adding more tests for the config file. 2022-06-14 07:42:51 +02:00
Federico Builes 3eff3f5918 let => const 2022-06-14 07:42:13 +02:00
Federico Builes 7278093fa0 Clarify some of the error messages. 2022-06-14 07:41:37 +02:00
Federico Builes b5b49104d4 Adding the config definition to action.yml 2022-06-14 07:40:16 +02:00
Federico Builes e56fe29417 Remove old config file. 2022-06-14 07:38:45 +02:00
Federico Builes cc3101831d Updating dist. 2022-06-14 07:04:33 +02:00
Federico Builes ef97470a0f Don't set the defaults in the test :/ 2022-06-14 07:04:26 +02:00
Federico Builes efecf6fd09 Remove the variables from env so they don't default to empty strings. 2022-06-14 06:49:18 +02:00
Federico Builes 24d7ef3c5d Use an empty config options type. 2022-06-14 06:48:58 +02:00
Federico Builes 01fa67b82e adding dist 2022-06-14 06:26:18 +02:00
Federico Builes 1791775ce6 temp commit 2022-06-14 05:57:43 +02:00
Federico Builes 92f1ecaaea Merge pull request #106 from actions/adding-lists
Adding allow and deny lists
2022-06-14 04:45:37 +02:00
Federico Builes 47d4ff9127 Merge pull request #111 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.28.0
Bump @typescript-eslint/parser from 5.27.1 to 5.28.0
2022-06-14 04:45:19 +02:00
dependabot[bot] 9c5310eee9 Bump @typescript-eslint/parser from 5.27.1 to 5.28.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.27.1 to 5.28.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.28.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-14 02:44:10 +00:00
Federico Builes d616ba30f2 Merge pull request #110 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.28.0
Bump @typescript-eslint/eslint-plugin from 5.27.1 to 5.28.0
2022-06-14 04:43:24 +02:00
dependabot[bot] 7181a20a1f Bump @typescript-eslint/eslint-plugin from 5.27.1 to 5.28.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.27.1 to 5.28.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.28.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-14 01:45:00 +00:00
Federico Builes eebebcdc2a Use real PURLs in tests 2022-06-13 20:19:01 +02:00
Federico Builes 571f236610 Improved wording on license messages. 2022-06-13 20:08:16 +02:00
Federico Builes fe78920139 Document unwanted behavior for a future refactoring. 2022-06-13 20:04:39 +02:00
Federico Builes bd115a9b66 Merge pull request #108 from actions/dependabot/npm_and_yarn/types/node-17.0.42
Bump @types/node from 17.0.40 to 17.0.42
2022-06-13 11:36:18 +02:00
dependabot[bot] 72a5a0f647 Bump @types/node from 17.0.40 to 17.0.42
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.40 to 17.0.42.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-13 01:44:57 +00:00
Federico Builes 21412fec7b fixing dist check 2022-06-09 10:46:00 +02:00
Federico Builes 0777fbe61e Updating dist. 2022-06-09 10:42:56 +02:00
Federico Builes cc22dcd654 Use undefined instead of null when dealing with lists. 2022-06-09 10:42:31 +02:00
Federico Builes 6b5518a9ed Adding more docs to licenses.ts 2022-06-09 10:33:05 +02:00
Federico Builes 20cca5c0c4 The default settings should not use []. 2022-06-08 18:28:10 +02:00
Federico Builes a51db20961 Use null for unspecified values when filtering licenses. 2022-06-08 18:21:28 +02:00
Federico Builes a7d02aef82 adding dist 2022-06-08 17:47:06 +02:00
Federico Builes 4ac3d318ab Refactoring on PR feedback. 2022-06-08 17:45:42 +02:00
Federico Builes 25271922eb Clarify variable names. 2022-06-08 15:53:14 +02:00
Federico Builes 4474253eb8 Merge branch 'main' into adding-lists 2022-06-07 06:23:53 +02:00
Federico Builes 1a7225bc91 Merge pull request #104 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.27.1
Bump @typescript-eslint/parser from 5.27.0 to 5.27.1
2022-06-07 06:20:33 +02:00
Federico Builes 4ebaca3419 Merge pull request #105 from actions/dependabot/npm_and_yarn/yaml-2.1.1
Bump yaml from 2.1.0 to 2.1.1
2022-06-07 06:20:17 +02:00
Federico Builes a96d28f120 Remove configuration docs until we have a proper release. 2022-06-07 06:19:22 +02:00
dependabot[bot] 29b67f0a05 Bump @typescript-eslint/parser from 5.27.0 to 5.27.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.27.0 to 5.27.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.27.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-07 04:16:25 +00:00
Federico Builes c187f6f12d Merge pull request #103 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.27.1
Bump @typescript-eslint/eslint-plugin from 5.27.0 to 5.27.1
2022-06-07 06:15:32 +02:00
dependabot[bot] 3b0a091baa Bump yaml from 2.1.0 to 2.1.1
Bumps [yaml](https://github.com/eemeli/yaml) from 2.1.0 to 2.1.1.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.1.0...v2.1.1)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-07 01:33:07 +00:00
dependabot[bot] 3456819f12 Bump @typescript-eslint/eslint-plugin from 5.27.0 to 5.27.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.27.0 to 5.27.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.27.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-07 01:32:39 +00:00
Federico Builes 56e63b1bc5 adding dist 2022-06-06 20:32:46 +02:00
Federico Builes 2ae9a2d51b Add logic for denied licenses. 2022-06-06 20:32:46 +02:00
Federico Builes 1261e18905 Clarify license tests. 2022-06-06 20:32:46 +02:00
Federico Builes dc7b0a2788 Show an error when disallowed dependencies show up. 2022-06-06 20:32:46 +02:00
Federico Builes 06297bf229 Fixing failing tests 2022-06-06 20:32:46 +02:00
Federico Builes bccacf9708 Skeleton for license validation. 2022-06-06 20:32:46 +02:00
Federico Builes 8c646c1c91 Get rid of redundant variables. 2022-06-06 20:32:46 +02:00
Federico Builes 30c4549c8c Merge pull request #91 from actions/adding-config-file
Adding configuration options
2022-06-06 20:32:21 +02:00
Federico Builes 93c8cb2c8a Merge pull request #101 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-26.5.3
Bump eslint-plugin-jest from 26.4.6 to 26.5.3
2022-06-06 13:43:17 +02:00
Federico Builes d7c6d6203f Merge pull request #100 from actions/dependabot/npm_and_yarn/esbuild-register-3.3.3
Bump esbuild-register from 3.3.2 to 3.3.3
2022-06-06 13:34:38 +02:00
dependabot[bot] 92bcc5a0bf Bump esbuild-register from 3.3.2 to 3.3.3
Bumps esbuild-register from 3.3.2 to 3.3.3.

---
updated-dependencies:
- dependency-name: esbuild-register
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-06 11:32:09 +00:00
Federico Builes 545050ada5 Merge pull request #99 from actions/dependabot/npm_and_yarn/eslint-8.17.0
Bump eslint from 8.16.0 to 8.17.0
2022-06-06 13:31:00 +02:00
Federico Builes 2b674f0e26 Merge pull request #98 from actions/dependabot/npm_and_yarn/types/node-17.0.40
Bump @types/node from 17.0.38 to 17.0.40
2022-06-06 13:30:45 +02:00
Federico Builes 802525536f Merge pull request #97 from actions/dependabot/npm_and_yarn/typescript-4.7.3
Bump typescript from 4.7.2 to 4.7.3
2022-06-06 13:30:28 +02:00
dependabot[bot] 4eb9ad1d38 Bump eslint-plugin-jest from 26.4.6 to 26.5.3
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.4.6 to 26.5.3.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.4.6...v26.5.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-06 01:49:06 +00:00
dependabot[bot] 12cf02f216 Bump eslint from 8.16.0 to 8.17.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.16.0 to 8.17.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.16.0...v8.17.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-06 01:48:31 +00:00
dependabot[bot] c7ff505b05 Bump @types/node from 17.0.38 to 17.0.40
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.38 to 17.0.40.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-06 01:48:14 +00:00
dependabot[bot] 90221b23f7 Bump typescript from 4.7.2 to 4.7.3
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.7.2 to 4.7.3.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.7.2...v4.7.3)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-06 01:47:20 +00:00
Federico Builes 2f38c7e78c Add severity level to the vulns not found message. 2022-06-01 15:56:16 +02:00
Federico Builes c235374b9d Removing redundant test. 2022-06-01 13:42:22 +02:00
Federico Builes ae2949c9c1 Removing old file. 2022-06-01 13:40:09 +02:00
Federico Builes 3ae540bf96 Updating the README with config instructions. 2022-06-01 13:39:05 +02:00
Federico Builes 1c15a1745e Adding dependency-review.yml. 2022-06-01 13:38:42 +02:00
Federico Builes 19b36f0933 Use a more definitive name for the config file. 2022-06-01 13:28:03 +02:00
Federico Builes 0b9547aabf Adding more expectations for severities. 2022-06-01 13:14:32 +02:00
Federico Builes b327132e4b Remove state from the filtering function. 2022-06-01 13:10:58 +02:00
Federico Builes f9a13e70f4 Fixing circular reference, adding prettier. 2022-06-01 12:09:11 +02:00
Federico Builes db9f724163 Introduce a schema for ConfigurationOptions.
This commit illustrates an approach, but is currently
failing the tests.
2022-06-01 06:36:02 +02:00
Federico Builes 7db11574b7 Make vulnerabilities be [] by default. 2022-06-01 05:36:46 +02:00
Federico Builes 7063d0ca45 Don't modify array in place. 2022-06-01 05:32:50 +02:00
Federico Builes 2dd55385c1 Use let instead of var, fix failing test. 2022-06-01 05:31:33 +02:00
Federico Builes 48729e4e38 Merge pull request #96 from actions/dependabot/npm_and_yarn/types/node-17.0.38
Bump @types/node from 17.0.36 to 17.0.38
2022-06-01 04:48:28 +02:00
dependabot[bot] 230442bc30 Bump @types/node from 17.0.36 to 17.0.38
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.36 to 17.0.38.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-01 01:54:46 +00:00
Federico Builes 4235242818 adding dist files 2022-05-31 17:09:21 +02:00
Federico Builes 731e67eca2 Add filtering by low severity as the default. 2022-05-31 17:08:22 +02:00
Federico Builes b601c09c4e Merge branch 'main' into adding-config-file 2022-05-31 16:59:33 +02:00
Federico Builes 982e1d16cb Whitespace and newlines. 2022-05-31 16:54:59 +02:00
Federico Builes f0a04841ce Adding logic to filter by vulnerability severity. 2022-05-31 16:50:39 +02:00
Federico Builes e622e72c6f Export Change schema. 2022-05-31 06:06:19 +02:00
Federico Builes 92e40d7290 Move printing function out. 2022-05-31 06:03:42 +02:00
Federico Builes 21763d05e0 Merge pull request #94 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-26.4.6
Bump eslint-plugin-jest from 26.4.5 to 26.4.6
2022-05-31 05:25:05 +02:00
Federico Builes 2c245d1aba Merge pull request #93 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.27.0
Bump @typescript-eslint/parser from 5.26.0 to 5.27.0
2022-05-31 05:24:37 +02:00
dependabot[bot] d6fb424a28 Bump @typescript-eslint/parser from 5.26.0 to 5.27.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.26.0 to 5.27.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.27.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-31 03:22:15 +00:00
Federico Builes 088fc4d4e8 Merge pull request #92 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.27.0
Bump @typescript-eslint/eslint-plugin from 5.26.0 to 5.27.0
2022-05-31 05:21:37 +02:00
dependabot[bot] 132427b4bc Bump eslint-plugin-jest from 26.4.5 to 26.4.6
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.4.5 to 26.4.6.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.4.5...v26.4.6)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-31 01:28:59 +00:00
dependabot[bot] 5f0449f13c Bump @typescript-eslint/eslint-plugin from 5.26.0 to 5.27.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.26.0 to 5.27.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.27.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-31 01:28:15 +00:00
Federico Builes 0b73ead548 Merge branch 'main' into adding-config-file 2022-05-30 06:37:29 +02:00
Federico Builes 67a046c994 Merge pull request #89 from actions/dependabot/npm_and_yarn/types/node-17.0.36
Bump @types/node from 17.0.35 to 17.0.36
2022-05-30 06:30:17 +02:00
Federico Builes 64c25ba2f4 Merge pull request #90 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-26.4.5
Bump eslint-plugin-jest from 26.2.2 to 26.4.5
2022-05-30 06:30:05 +02:00
dependabot[bot] f3682c87a7 Bump eslint-plugin-jest from 26.2.2 to 26.4.5
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.2.2 to 26.4.5.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.2.2...v26.4.5)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-30 01:47:42 +00:00
dependabot[bot] fc7745e42a Bump @types/node from 17.0.35 to 17.0.36
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.35 to 17.0.36.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-30 01:46:36 +00:00
Federico Builes a8dcc6b774 Adding basic config file parsing and some test scaffolding. 2022-05-26 15:54:59 -07:00
Federico Builes d09b96a7b1 Updating YAML deps. 2022-05-26 14:49:02 -07:00
Federico Builes 243561faa0 Merge pull request #87 from actions/dependabot/npm_and_yarn/vercel/ncc-0.34.0
Bump @vercel/ncc from 0.33.4 to 0.34.0
2022-05-26 10:47:33 -07:00
Federico Builes 860cc21fc2 Merge pull request #86 from actions/dependabot/npm_and_yarn/got-12.1.0
Bump got from 12.0.4 to 12.1.0
2022-05-26 10:47:20 -07:00
dependabot[bot] 98f8200aaa Bump @vercel/ncc from 0.33.4 to 0.34.0
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.33.4 to 0.34.0.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.33.4...0.34.0)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-26 03:00:41 +00:00
dependabot[bot] b3375e0be4 Bump got from 12.0.4 to 12.1.0
Bumps [got](https://github.com/sindresorhus/got) from 12.0.4 to 12.1.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.0.4...v12.1.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-26 03:00:11 +00:00
Federico Builes 737f9b3a71 Merge pull request #85 from actions/dependabot/npm_and_yarn/typescript-4.7.2
Bump typescript from 4.6.4 to 4.7.2
2022-05-25 10:57:24 -07:00
dependabot[bot] 91660a5ad1 Bump typescript from 4.6.4 to 4.7.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.6.4 to 4.7.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.6.4...v4.7.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-25 01:46:29 +00:00
Federico Builes 2b78124491 Merge pull request #83 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.26.0
Bump @typescript-eslint/eslint-plugin from 5.25.0 to 5.26.0
2022-05-24 16:21:37 -07:00
Federico Builes 365fad2034 Merge pull request #82 from actions/dependabot/npm_and_yarn/zod-3.17.3
Bump zod from 3.17.2 to 3.17.3
2022-05-24 14:54:41 -07:00
Federico Builes 31314537ae adding dist files 2022-05-24 14:52:45 -07:00
dependabot[bot] c893395cf8 Bump @typescript-eslint/eslint-plugin from 5.25.0 to 5.26.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.25.0 to 5.26.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.26.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-24 02:43:26 +00:00
dependabot[bot] 93e4466112 Bump zod from 3.17.2 to 3.17.3
Bumps [zod](https://github.com/colinhacks/zod) from 3.17.2 to 3.17.3.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.17.2...v3.17.3)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-24 02:42:32 +00:00
Federico Builes a9c83d3af6 Merge pull request #81 from actions/elireisman/fix-default-case
Fix default-case in error handling
2022-05-23 12:30:51 -07:00
Eli Reisman f4b10ab0c4 update dist package 2022-05-23 11:46:07 -07:00
Eli Reisman a4da1f9048 handle unexpected error types opaquely 2022-05-23 11:45:36 -07:00
Eli Reisman 19edfd7243 fix default case in error handling 2022-05-23 11:36:34 -07:00
Federico Builes 0be808458e Merge pull request #80 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.26.0
Bump @typescript-eslint/parser from 5.24.0 to 5.26.0
2022-05-23 11:20:37 -07:00
Federico Builes 77396f2e4f Merge pull request #79 from actions/dependabot/npm_and_yarn/zod-3.17.2
Bump zod from 3.16.0 to 3.17.2
2022-05-23 11:19:59 -07:00
Federico Builes 9bc6bded9e updating dist 2022-05-23 11:18:56 -07:00
dependabot[bot] 3b26a2a544 Bump zod from 3.16.0 to 3.17.2
Bumps [zod](https://github.com/colinhacks/zod) from 3.16.0 to 3.17.2.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.16.0...v3.17.2)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-23 18:16:20 +00:00
dependabot[bot] 7517e23bfc Bump @typescript-eslint/parser from 5.24.0 to 5.26.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.24.0 to 5.26.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.26.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-23 18:16:05 +00:00
Federico Builes cdae254423 Merge pull request #78 from actions/dependabot/npm_and_yarn/eslint-8.16.0
Bump eslint from 8.15.0 to 8.16.0
2022-05-23 11:14:59 -07:00
Federico Builes a257e84a2f Merge pull request #77 from actions/dependabot/npm_and_yarn/types/node-17.0.35
Bump @types/node from 17.0.33 to 17.0.35
2022-05-23 11:14:38 -07:00
dependabot[bot] e0be07f423 Bump eslint from 8.15.0 to 8.16.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.15.0 to 8.16.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.15.0...v8.16.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-23 18:04:04 +00:00
dependabot[bot] 4b83e15691 Bump @types/node from 17.0.33 to 17.0.35
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.33 to 17.0.35.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-23 18:03:59 +00:00
Federico Builes e4396493ba Merge pull request #73 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.25.0
Bump @typescript-eslint/eslint-plugin from 5.24.0 to 5.25.0
2022-05-23 11:03:13 -07:00
dependabot[bot] 8ba008fb62 Bump @typescript-eslint/eslint-plugin from 5.24.0 to 5.25.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.24.0 to 5.25.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.25.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-18 01:30:23 +00:00
Federico Builes 5ce46b3424 Merge pull request #65 from actions/update-readme
Update README to include GHAS instructions
2022-05-16 14:20:09 -07:00
Federico Builes 9680f24ea3 Merge pull request #71 from actions/dependabot/npm_and_yarn/actions/github-5.0.3
Bump @actions/github from 5.0.1 to 5.0.3
2022-05-16 14:19:29 -07:00
Federico Builes 9cdb91e238 updating dist files 2022-05-16 14:17:47 -07:00
dependabot[bot] 92e8876693 Bump @actions/github from 5.0.1 to 5.0.3
Bumps [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) from 5.0.1 to 5.0.3.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/github"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-16 21:15:27 +00:00
Federico Builes c91da44591 Merge pull request #67 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-26.2.2
Bump eslint-plugin-jest from 26.1.5 to 26.2.2
2022-05-16 14:13:20 -07:00
Federico Builes b988161c8f Merge pull request #70 from actions/updating-deps
Updating NPM Dependencies
2022-05-16 14:09:47 -07:00
Federico Builes a086ec5a2d updating dependencies 2022-05-16 14:06:20 -07:00
dependabot[bot] b40a0040b5 Bump eslint-plugin-jest from 26.1.5 to 26.2.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.1.5 to 26.2.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.1.5...v26.2.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-16 21:05:19 +00:00
Federico Builes dcc694e92a Merge pull request #61 from actions/dependabot/npm_and_yarn/zod-3.16.0
Bump zod from 3.15.1 to 3.16.0
2022-05-16 14:04:47 -07:00
dependabot[bot] dfafa144e7 Bump zod from 3.15.1 to 3.16.0
Bumps [zod](https://github.com/colinhacks/zod) from 3.15.1 to 3.16.0.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.15.1...v3.16.0)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-16 21:03:27 +00:00
Federico Builes 7a2877d9c8 updating the dist folder 2022-05-16 14:02:08 -07:00
Federico Builes 265d6e12a9 updating README 2022-05-13 08:11:58 +02:00
Eli Reisman 39e692fa32 Merge pull request #60 from actions/elireisman/handle-403
Enable differentiated error messages for DR eligibility
2022-05-12 11:13:53 -07:00
Federico Builes 0e2b63f1f4 Cleaning up errors. 2022-05-12 18:07:14 +02:00
Federico Builes 0e9a322413 Move config into its own file. 2022-05-12 18:05:14 +02:00
Federico Builes fdcc204dbb Adding a YAML parser. 2022-05-12 18:04:51 +02:00
Federico Builes 871c00fde8 adding dist files 2022-05-12 11:44:25 +02:00
Federico Builes 52795b8e93 Print config files. 2022-05-12 11:43:08 +02:00
Federico Builes 744ab92b2c Merge pull request #62 from actions/update-hacking
Update CONTRIBUTING.md
2022-05-12 10:26:10 +02:00
Federico Builes 0b8c1ff0d6 Update CONTRIBUTING.md 2022-05-12 10:25:45 +02:00
Eli Reisman 7dcdeab949 update dist 2022-05-11 20:03:29 +00:00
Eli Reisman cabd238caa enable differentiated error messages for DR eligibility when API returns 403 2022-05-11 19:53:29 +00:00
Federico Builes 2fee08ee9a Merge pull request #55 from actions/dependabot/npm_and_yarn/eslint-8.15.0
Bump eslint from 8.14.0 to 8.15.0
2022-05-09 15:42:54 +02:00
Federico Builes 9571135e29 updating dist folder 2022-05-09 15:41:42 +02:00
dependabot[bot] 85d9dc08d0 Bump eslint from 8.14.0 to 8.15.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.14.0 to 8.15.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.14.0...v8.15.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-09 13:40:42 +00:00
Federico Builes 005e168d77 Merge pull request #54 from actions/updating-deps
Updating JS Dependencies in a single PR
2022-05-09 15:39:26 +02:00
Federico Builes 9c59c3e487 Updating dependencies.
Closes #49
Closes #50
Closes #51
Closes #52
Closes #53
2022-05-09 15:36:27 +02:00
Federico Builes e4574efd2a update deps 2022-05-05 17:25:18 +02:00
Federico Builes e343d06cbe Merge pull request #48 from actions/dependabot/npm_and_yarn/typescript-4.6.4
Bump typescript from 4.6.3 to 4.6.4
2022-05-05 17:24:06 +02:00
Federico Builes 3a4a231669 Merge pull request #47 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.22.0
Bump @typescript-eslint/eslint-plugin from 5.18.0 to 5.22.0
2022-05-05 17:23:59 +02:00
dependabot[bot] 3b3aee2807 Bump typescript from 4.6.3 to 4.6.4
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.6.3 to 4.6.4.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.6.3...v4.6.4)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 15:23:59 +00:00
Federico Builes 7e68ff5413 Merge pull request #15 from actions/dependabot/npm_and_yarn/actions/github-5.0.1
Bump @actions/github from 5.0.0 to 5.0.1
2022-05-05 17:23:43 +02:00
Federico Builes f3e7f2e17c Merge pull request #39 from actions/dependabot/npm_and_yarn/eslint-8.14.0
Bump eslint from 8.12.0 to 8.14.0
2022-05-05 17:23:08 +02:00
dependabot[bot] 5aadf9df79 Bump @actions/github from 5.0.0 to 5.0.1
Bumps [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/github"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 15:21:20 +00:00
dependabot[bot] 2912ad058b Bump eslint from 8.12.0 to 8.14.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.12.0 to 8.14.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.12.0...v8.14.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 15:21:10 +00:00
dependabot[bot] 41113f0103 Bump @typescript-eslint/eslint-plugin from 5.18.0 to 5.22.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.18.0 to 5.22.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.22.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 15:20:48 +00:00
Federico Builes 457441cf81 Merge pull request #45 from actions/dependabot/npm_and_yarn/actions/core-1.7.0
Bump @actions/core from 1.6.0 to 1.7.0
2022-05-05 17:20:37 +02:00
Federico Builes 53e123e9bc Merge pull request #46 from actions/dependabot/npm_and_yarn/nodemon-2.0.16
Bump nodemon from 2.0.15 to 2.0.16
2022-05-05 17:19:57 +02:00
Federico Builes 51033d1351 package release 2022-05-05 16:57:05 +02:00
dependabot[bot] 727184648e Bump @actions/core from 1.6.0 to 1.7.0
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 14:52:31 +00:00
dependabot[bot] 51f78cb35f Bump nodemon from 2.0.15 to 2.0.16
Bumps [nodemon](https://github.com/remy/nodemon) from 2.0.15 to 2.0.16.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v2.0.15...v2.0.16)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 12:37:24 +00:00
Federico Builes 2ac4ee7782 Merge pull request #40 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-26.1.5
Bump eslint-plugin-jest from 26.1.3 to 26.1.5
2022-05-05 14:36:22 +02:00
Federico Builes 731c8509d5 Merge pull request #29 from actions/dependabot/npm_and_yarn/vercel/ncc-0.33.4
Bump @vercel/ncc from 0.33.3 to 0.33.4
2022-05-05 14:31:16 +02:00
Federico Builes 58c9c8dc08 add sourcemap 2022-05-05 14:30:11 +02:00
dependabot[bot] 38015e8ba9 Bump @vercel/ncc from 0.33.3 to 0.33.4
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.33.3 to 0.33.4.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.33.3...0.33.4)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 12:28:30 +00:00
Federico Builes 55aad1c2ed Merge pull request #26 from actions/dependabot/github_actions/actions/upload-artifact-3
Bump actions/upload-artifact from 2 to 3
2022-05-05 14:27:27 +02:00
dependabot[bot] 132849cc93 Bump eslint-plugin-jest from 26.1.3 to 26.1.5
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.1.3 to 26.1.5.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.1.3...v26.1.5)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-25 02:49:57 +00:00
dependabot[bot] 52530a057c Bump actions/upload-artifact from 2 to 3
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 01:39:43 +00:00
Lane Seppala f7d534938a Merge pull request #20 from courtneycl/main
Update content
2022-04-06 14:11:01 -06:00
Courtney Claessens 27e65b9589 Update action.yml 2022-04-06 16:03:35 -04:00
Courtney Claessens 1d0829d84c Update README.md 2022-04-06 16:00:03 -04:00
Federico Builes e0e026c756 Merge pull request #18 from actions/update-codeowners
Updating CODEOWNERS.
2022-04-06 19:05:12 +02:00
Federico Builes 0e686847c0 Merge pull request #17 from actions/sarahkemi/update-readme
Update README copy
2022-04-06 10:13:48 +02:00
Sarah Aladetan 43afa84d78 update readme copy 2022-04-05 11:44:34 -07:00
Lane Seppala ac46ae2e5b Merge pull request #16 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.18.0
Bump @typescript-eslint/eslint-plugin from 5.17.0 to 5.18.0
2022-04-04 17:02:50 -06:00
dependabot[bot] ad9ad2d36d Bump @typescript-eslint/eslint-plugin from 5.17.0 to 5.18.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.17.0 to 5.18.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.18.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-04 22:59:44 +00:00
Lane Seppala be26556282 Merge pull request #13 from actions/dependabot/npm_and_yarn/prettier-2.6.2
Bump prettier from 2.6.1 to 2.6.2
2022-04-04 16:58:53 -06:00
Lane Seppala c083fa1499 Merge pull request #12 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.18.0
Bump @typescript-eslint/parser from 5.14.0 to 5.18.0
2022-04-04 16:58:37 -06:00
dependabot[bot] 157075c780 Bump @typescript-eslint/parser from 5.14.0 to 5.18.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.14.0 to 5.18.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.18.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-04 22:40:17 +00:00
dependabot[bot] 6ddfe40705 Bump prettier from 2.6.1 to 2.6.2
Bumps [prettier](https://github.com/prettier/prettier) from 2.6.1 to 2.6.2.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.6.1...2.6.2)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-04 22:40:15 +00:00
Lane Seppala ecf7f31121 Merge pull request #11 from actions/dependabot/npm_and_yarn/got-12.0.3
Bump got from 12.0.1 to 12.0.3
2022-04-04 16:39:27 -06:00
Lane Seppala 79799f95b1 Merge pull request #9 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.17.0
Bump @typescript-eslint/eslint-plugin from 5.14.0 to 5.17.0
2022-04-04 16:38:22 -06:00
Lane Seppala 20749a73f2 Merge pull request #8 from actions/dependabot/npm_and_yarn/ts-jest-27.1.4
Bump ts-jest from 27.1.3 to 27.1.4
2022-04-04 16:38:15 -06:00
Lane Seppala 047972e563 Merge pull request #7 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-26.1.3
Bump eslint-plugin-jest from 26.1.1 to 26.1.3
2022-04-04 16:38:05 -06:00
dependabot[bot] 1fcd0f0cda Bump got from 12.0.1 to 12.0.3
Bumps [got](https://github.com/sindresorhus/got) from 12.0.1 to 12.0.3.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.0.1...v12.0.3)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 01:33:11 +00:00
dependabot[bot] 11ad653c6c Bump @typescript-eslint/eslint-plugin from 5.14.0 to 5.17.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.14.0 to 5.17.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.17.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 01:32:54 +00:00
dependabot[bot] a7b1112790 Bump ts-jest from 27.1.3 to 27.1.4
Bumps [ts-jest](https://github.com/kulshekhar/ts-jest) from 27.1.3 to 27.1.4.
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v27.1.3...v27.1.4)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 01:32:35 +00:00
dependabot[bot] b72e171434 Bump eslint-plugin-jest from 26.1.1 to 26.1.3
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 26.1.1 to 26.1.3.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v26.1.1...v26.1.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-01 01:32:28 +00:00
22 changed files with 3811 additions and 3348 deletions
+1 -1
View File
@@ -46,7 +46,7 @@ jobs:
id: diff
# If index.js was different than expected, upload the expected version as an artifact
- uses: actions/upload-artifact@v2
- uses: actions/upload-artifact@v3
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
+13
View File
@@ -0,0 +1,13 @@
{
"version": "0.1.0",
"configurations": [
{
"name": "Debug Jest Tests",
"type": "node",
"request": "launch",
"runtimeArgs": ["--inspect-brk", "${workspaceRoot}/node_modules/.bin/jest", "--runInBand", "--coverage", "false"],
"console": "integratedTerminal",
"internalConsoleOptions": "neverOpen"
}
]
}
+5 -1
View File
@@ -40,7 +40,11 @@ npm run test
## Local Development
We have a script to scan a given PR for vulnerabilities, this will
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding!
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
<img width="480" alt="Screenshot 2022-05-12 at 10 22 21" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
The syntax of the script is:
```sh
$ GITHUB_TOKEN=<token> ./scripts/scan_pr <pr_url>
+96 -5
View File
@@ -1,8 +1,8 @@
# dependency-review-action
This Action scans your pull requests for vulnerabilities introduced
when adding or updating your project's dependencies. A check in your
Pull Requests will let notify you of the results.
This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
@@ -25,9 +25,100 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1
uses: actions/dependency-review-action@v2
```
Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.
## Configuration
You can pass additional options to the Dependency Review
Action using your workflow file. Here's an example workflow with
all the possible configurations:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# You can only can only include one of these two options: `allow-licenses` and `deny-licences`
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# deny-licenses: LGPL-2.0, BSD-2-Clause
```
### Vulnerability Severity
By default the action will fail on any pull request that contains a
vulnerable dependency, regardless of the severity level. You can override this behavior by
using the `fail-on-severity` option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: `critical`, `high`, `moderate`, or `low`. The
action defaults to `low`.
This example will only fail on pull requests with `critical` and `high` vulnerabilities:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: high
```
### Licenses
You can set the action to fail on pull requests based on the licenses of the dependencies
they introduce. With `allow-licenses` you can define the list of licenses
your repository will accept. Alternatively, you can use `deny-licenses` to only
forbid a subset of licenses.
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
supported licenses. Use the `spdx_id` field for every license you want
to filter. A couple of examples:
```yaml
# only allow MIT-licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
allow-licenses: MIT
```
```yaml
# Block Apache 1.1 and 2.0 licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
deny-licenses: Apache-1.1, Apache-2.0
```
**Important**
* The action will only accept one of the two parameters; an error will
be raised if you provide both.
* By default both parameters are empty (no license checking is
performed).
* We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
## Blocking pull requests
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
## Getting help
If you have bug reports, questions or suggestions please [create a new
@@ -35,7 +126,7 @@ issue](https://github.com/actions/dependency-review-action/issues/new/choose).
## Contributing
We are grateful for any contributions made to this project.
We are grateful for any contributions made to this project.
Please read [CONTRIBUTING.MD](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md) to get started.
+53
View File
@@ -0,0 +1,53 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
function setInput(input: string, value: string) {
process.env[`INPUT_${input.toUpperCase()}`] = value
}
// We want a clean ENV before each test. We use `delete`
// since we want `undefined` values and not empty strings.
function clearInputs() {
delete process.env['INPUT_FAIL-ON-SEVERITY']
delete process.env['INPUT_ALLOW-LICENSES']
delete process.env['INPUT_DENY-LICENSES']
}
beforeEach(() => {
clearInputs()
})
test('it defaults to low severity', async () => {
const options = readConfig()
expect(options.fail_on_severity).toEqual('low')
})
test('it reads custom configs', async () => {
setInput('fail-on-severity', 'critical')
setInput('allow-licenses', ' BSD, GPL 2')
const options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('it defaults to empty allow/deny lists ', async () => {
const options = readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
})
test('it raises an error if both an allow and denylist are specified', async () => {
setInput('allow-licenses', 'MIT')
setInput('deny-licenses', 'BSD')
expect(() => readConfig()).toThrow()
})
test('it raises an error when given an unknown severity', async () => {
setInput('fail-on-severity', 'zombies')
expect(() => readConfig()).toThrow()
})
+59
View File
@@ -0,0 +1,59 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {filterChangesBySeverity} from '../src/filter'
let npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerouns',
advisory_url: 'github.com/future-funk'
}
]
}
let rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerouns',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
test('it properly filters changes by severity', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesBySeverity('high', changes)
expect(result).toEqual([npmChange])
result = filterChangesBySeverity('low', changes)
expect(changes).toEqual([npmChange, rubyChange])
result = filterChangesBySeverity('critical', changes)
expect(changes).toEqual([npmChange, rubyChange])
})
@@ -0,0 +1,4 @@
fail_on_severity: critical
allow_licenses:
- "BSD"
- "GPL 2"
@@ -0,0 +1,2 @@
allow_licenses: []
deny_licenses: []
@@ -0,0 +1 @@
fail_on_severity: critical
+70
View File
@@ -0,0 +1,70 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {getDeniedLicenseChanges} from '../src/licenses'
let npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerouns',
advisory_url: 'github.com/future-funk'
}
]
}
let rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerouns',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
test('it fails if a license outside the allow list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges[0]).toBe(npmChange)
})
test('it fails if a license inside the deny list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
expect(invalidChanges[0]).toBe(rubyChange)
})
// This is more of a "here's a behavior that might be surprising" than an actual
// thing we want in the system. Please remove this test after refactoring.
test('it fails all license checks when allow is provided an empty array', async () => {
const changes: Changes = [npmChange, rubyChange]
let [invalidChanges, _] = getDeniedLicenseChanges(changes, {
allow: [],
deny: ['BSD']
})
expect(invalidChanges.length).toBe(2)
})
-5
View File
@@ -1,5 +0,0 @@
import {expect, test} from '@jest/globals'
test('tests things', async () => {
expect(true).toEqual(true)
})
+12 -2
View File
@@ -1,11 +1,21 @@
name: 'Dependency Review'
description: 'GitHub Action for Dependency Review'
description: 'Prevent the introduction of dependencies with known vulnerabilities'
author: 'GitHub'
inputs:
repo-token:
description: 'Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.'
description: Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.
required: false
default: ${{ github.token }}
fail-on-severity:
description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
required: false
default: 'low'
allow-licenses:
description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
deny-licenses:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+2848 -2823
View File
File diff suppressed because it is too large Load Diff
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+413 -475
View File
File diff suppressed because it is too large Load Diff
+18 -17
View File
@@ -25,29 +25,30 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.6.0",
"@actions/github": "^5.0.0",
"@actions/core": "^1.8.2",
"@actions/github": "^5.0.3",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/request-error": "^2.1.0",
"ansi-styles": "^6.1.0",
"got": "^12.0.1",
"nodemon": "^2.0.15",
"zod": "^3.13.4"
"got": "^12.1.0",
"nodemon": "^2.0.16",
"yaml": "^2.1.1",
"zod": "^3.17.3"
},
"devDependencies": {
"@types/node": "^17.0.23",
"@typescript-eslint/eslint-plugin": "^5.14.0",
"@typescript-eslint/parser": "^5.14.0",
"@vercel/ncc": "^0.33.3",
"esbuild-register": "^3.3.2",
"eslint": "^8.12.0",
"@types/node": "^17.0.43",
"@typescript-eslint/eslint-plugin": "^5.28.0",
"@typescript-eslint/parser": "^5.28.0",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.17.0",
"eslint-plugin-github": "^4.3.6",
"eslint-plugin-jest": "^26.1.1",
"eslint-plugin-jest": "^26.5.3",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.15",
"prettier": "2.6.1",
"ts-jest": "^27.1.3",
"typescript": "^4.6.3"
"nodemon": "^2.0.16",
"prettier": "2.7.0",
"ts-jest": "^27.1.4",
"typescript": "^4.7.3"
}
}
}
+27
View File
@@ -0,0 +1,27 @@
import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, SEVERITIES} from './schemas'
function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name)
return value.length > 0 ? value : undefined
}
export function readConfig(): ConfigurationOptions {
const fail_on_severity = z
.enum(SEVERITIES)
.default('low')
.parse(getOptionalInput('fail-on-severity'))
const allow_licenses = getOptionalInput('allow-licenses')
const deny_licenses = getOptionalInput('deny-licenses')
if (allow_licenses !== undefined && deny_licenses !== undefined) {
throw new Error("Can't specify both allow_licenses and deny_licenses")
}
return {
fail_on_severity,
allow_licenses: allow_licenses?.split(',').map(x => x.trim()),
deny_licenses: deny_licenses?.split(',').map(x => x.trim())
}
}
+36
View File
@@ -0,0 +1,36 @@
import {Changes} from './schemas'
import {Severity, SEVERITIES} from './schemas'
export function filterChangesBySeverity(
severity: Severity,
changes: Changes
): Changes {
const severityIdx = SEVERITIES.indexOf(severity)
let filteredChanges = []
for (let change of changes) {
if (
change === undefined ||
change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0
) {
continue
}
let fChange = {
...change,
vulnerabilities: change.vulnerabilities.filter(vuln => {
const vulnIdx = SEVERITIES.indexOf(vuln.severity)
if (vulnIdx <= severityIdx) {
return true
}
})
}
filteredChanges.push(fChange)
}
// don't want to deal with changes with no vulnerabilities
filteredChanges = filteredChanges.filter(
change => change.vulnerabilities.length > 0
)
return filteredChanges
}
+46
View File
@@ -0,0 +1,46 @@
import {Change, ChangeSchema} from './schemas'
/**
* Loops through a list of changes, filtering and returning the
* ones that don't conform to the licenses allow/deny lists.
*
* Keep in mind that we don't let users specify both an allow and a deny
* list in their config files, so this code works under the assumption that
* one of the two list parameters will be empty. If both lists are provided,
* we will ignore the deny list.
* @param {Change[]} changes The list of changes to filter.
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
* @returns {[Array<Change>, Array<Change]} A tuple where the first element is the list of denied changes and the second one is the list of changes with unknown licenses
*/
export function getDeniedLicenseChanges(
changes: Array<Change>,
licenses: {
allow?: Array<string>
deny?: Array<string>
}
): [Array<Change>, Array<Change>] {
let {allow, deny} = licenses
let disallowed: Change[] = []
let unknown: Change[] = []
for (const change of changes) {
let license = change.license
// TODO: be loud about unknown licenses
if (license === null) {
unknown.push(change)
continue
}
if (allow !== undefined) {
if (!allow.includes(license)) {
disallowed.push(change)
}
} else if (deny !== undefined) {
if (deny.includes(license)) {
disallowed.push(change)
}
}
}
return [disallowed, unknown]
}
+86 -16
View File
@@ -3,7 +3,10 @@ import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {PullRequestSchema} from './schemas'
import {Change, PullRequestSchema, Severity} from './schemas'
import {readConfig} from '../src/config'
import {filterChangesBySeverity} from '../src/filter'
import {getDeniedLicenseChanges} from './licenses'
async function run(): Promise<void> {
try {
@@ -24,44 +27,81 @@ async function run(): Promise<void> {
headRef: pull_request.head.sha
})
let config = readConfig()
let minSeverity = config.fail_on_severity
let failed = false
for (const change of changes) {
let licenses = {
allow: config.allow_licenses,
deny: config.deny_licenses
}
let filteredChanges = filterChangesBySeverity(
minSeverity as Severity,
changes
)
for (const change of filteredChanges) {
if (
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
) {
for (const vuln of change.vulnerabilities) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${
change.version
}${styles.bold.close} ${vuln.advisory_summary} ${renderSeverity(
vuln.severity
)}`
)
core.info(`${vuln.advisory_url}`)
}
printChangeVulnerabilities(change)
failed = true
}
}
let [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
changes,
licenses
)
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors, licenses)
printNullLicenses(unknownLicenses)
core.setFailed('Dependency review detected incompatible licenses.')
}
if (failed) {
throw new Error('Dependency review detected vulnerable packages.')
core.setFailed('Dependency review detected vulnerable packages.')
} else {
core.info('Dependency review did not detect any vulnerable packages.')
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
)
} else if (error instanceof RequestError && error.status === 403) {
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
)
} else if (error instanceof Error) {
core.setFailed(error.message)
} else {
if (error instanceof Error) {
core.setFailed(error.message)
} else {
core.setFailed('Unexpected fatal error')
}
}
}
}
function printChangeVulnerabilities(change: Change) {
for (const vuln of change.vulnerabilities) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${
change.version
}${styles.bold.close} ${vuln.advisory_summary} ${renderSeverity(
vuln.severity
)}`
)
core.info(`${vuln.advisory_url}`)
}
}
function renderSeverity(
severity: 'critical' | 'high' | 'moderate' | 'low'
): string {
@@ -76,4 +116,34 @@ function renderSeverity(
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
}
function printLicensesError(
changes: Array<Change>,
licenses: {
allow?: Array<string>
deny?: Array<string>
}
): void {
if (changes.length == 0) {
return
}
let {allow = [], deny = []} = licenses
core.info('\nThe following dependencies have incompatible licenses:\n')
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close} License: ${styles.color.red.open}${change.license}${styles.color.red.close}`
)
}
}
function printNullLicenses(changes: Array<Change>): void {
core.info('\nWe could not detect a license for the following dependencies:\n')
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close}`
)
}
}
run()
+19 -1
View File
@@ -1,6 +1,8 @@
import * as z from 'zod'
const ChangeSchema = z.object({
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
export const ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
manifest: z.string(),
ecosystem: z.string(),
@@ -19,6 +21,7 @@ const ChangeSchema = z.object({
})
)
.optional()
.default([])
})
export const PullRequestSchema = z.object({
@@ -27,6 +30,21 @@ export const PullRequestSchema = z.object({
head: z.object({sha: z.string()})
})
export const ConfigurationOptionsSchema = z
.object({
fail_on_severity: z.enum(SEVERITIES).default('low'),
allow_licenses: z.array(z.string()).default([]),
deny_licenses: z.array(z.string()).default([])
})
.partial()
.refine(
obj => !(obj.allow_licenses && obj.deny_licenses),
"Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other."
)
export const ChangesSchema = z.array(ChangeSchema)
export type Change = z.infer<typeof ChangeSchema>
export type Changes = z.infer<typeof ChangesSchema>
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
export type Severity = typeof SEVERITIES[number]