Compare commits

..

336 Commits

Author SHA1 Message Date
Justin Hutchings 9a82545adb Remove Ruby from devcontainer 2024-03-21 11:28:18 -07:00
Federico Builes 0fa40c3c10 bumping to 4.2.3. 2024-03-20 17:57:26 +01:00
Federico Builes 1f6240f54c Merge pull request #707 from laughedelic/feat/data-outputs
Add outputs for the changes data
2024-03-20 17:47:40 +01:00
Federico Builes b751d41e7e Merge pull request #702 from actions/dependabot/npm_and_yarn/nodemon-3.1.0
Bump nodemon from 3.0.3 to 3.1.0
2024-03-20 06:48:20 +01:00
Federico Builes 6183eb9d2b Merge pull request #703 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.9.0
Bump eslint-plugin-jest from 27.6.3 to 27.9.0
2024-03-20 06:48:14 +01:00
laughedelic 6585cc5f01 fix run syntax 2024-03-19 21:23:25 +01:00
laughedelic 218a76cbd5 add clarification about output usage hygiene 2024-03-19 21:22:12 +01:00
laughedelic d78d095945 revert changes in CI 2024-03-19 19:48:45 +01:00
Federico Builes 36297aa214 Merge pull request #716 from actions/dependabot/npm_and_yarn/types/node-20.11.28
Bump @types/node from 20.11.19 to 20.11.28
2024-03-18 05:01:38 +01:00
dependabot[bot] 1e69a8c24a Bump @types/node from 20.11.19 to 20.11.28
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.19 to 20.11.28.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-18 02:01:11 +00:00
Jon Janego 2f10643938 Merge pull request #715 from actions/jonjanego-patch-2
Update README.md
2024-03-15 11:24:37 -05:00
Jon Janego 1eb83b5560 Update README.md
minor text clarifications to keep consistent with wording in (the docs)[https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review]
2024-03-15 11:22:32 -05:00
laughedelic 47b7acc8e3 update dist 2024-03-15 03:22:15 +01:00
laughedelic 16bfb3360c Merge branch 'main' into feat/data-outputs 2024-03-15 03:21:07 +01:00
Alexey Alekhin bc6a1f0dd4 avoid using if: always() 2024-03-15 03:01:16 +01:00
Alexey Alekhin e38e634e54 Apply suggestions for docs
Co-authored-by: Federico Builes <febuiles@github.com>
2024-03-15 02:32:15 +01:00
Jon Janego 5574be321f Merge pull request #712 from actions/jonjanego-patch-1
Update stale.yaml and CONTRIBUTING.md
2024-03-14 15:23:18 -05:00
Jon Janego aef51371b7 Update CONTRIBUTING.md
explaining stalebot
2024-03-14 14:44:38 -05:00
Jon Janego 3b70c9966e Update stale.yaml
fixing some comments, adding a keep label for issues, explicitly defining labeling behavior for issues
2024-03-14 14:43:08 -05:00
Federico Builes adaed32746 Merge pull request #709 from jhutchings1/scorecard
Add support for calculating OpenSSF Scorecards
2024-03-14 06:30:21 +01:00
Justin Hutchings 4ce120135b Fix OpenSSF Scorecard display issue 2024-03-13 16:23:23 +00:00
Justin Hutchings 0e8bc32a54 Fix prettier linting 2024-03-12 22:06:54 +00:00
Justin Hutchings f875e6ec1d Simplify truthiness check 2024-03-12 21:49:01 +00:00
Justin Hutchings 72666694f0 Fix broken tests, clean up dead code 2024-03-12 21:32:27 +00:00
Justin Hutchings 7dc5f537be Add scorecard to summary and count scorecard warnings 2024-03-12 20:47:25 +00:00
Justin Hutchings ac600387ca Add tests 2024-03-12 17:55:10 +00:00
Justin Hutchings d186d663df Automatically collapse the scorecard table 2024-03-11 22:23:03 +00:00
Justin Hutchings b7fdb4c8e2 Remove unused import 2024-03-11 22:19:09 +00:00
Justin Hutchings ba6b805e18 Remove dead code, complete printScorecardBlock 2024-03-11 22:17:28 +00:00
Justin Hutchings 70801db78f Revert line number implementation 2024-03-11 22:05:19 +00:00
Justin Hutchings 5bc19761c5 Add debugging 2024-03-08 03:00:15 +00:00
Justin Hutchings 5ba0d0fe17 Add debugging 2024-03-08 02:53:41 +00:00
Justin Hutchings 6a74ebd41e Fix column number implementation 2024-03-08 02:49:15 +00:00
Justin Hutchings 250250e73d Refactor schema, add line numbers to warnings 2024-03-08 02:31:11 +00:00
Justin Hutchings cb0a0415fb Update dist 2024-03-08 01:30:46 +00:00
Justin Hutchings 296bf3ab1b Add docs, implement warning behavior 2024-03-08 01:29:53 +00:00
Justin Hutchings 59d4782b76 Add links to summary 2024-03-06 20:14:19 +00:00
Justin Hutchings e878bf8824 Fix bug with protocol prefixes 2024-03-06 20:06:26 +00:00
Justin Hutchings 1b21f392ca Fix scorecard bug 2024-03-06 19:44:54 +00:00
Justin Hutchings 111227a118 Refactor scorecard API implementation 2024-03-06 14:43:49 +00:00
Justin Hutchings a1258f2a2e Fix icon issues 2024-03-04 20:07:08 +00:00
Justin Hutchings 29b9ef447a Fix icons and undefined/null checks 2024-03-04 20:03:39 +00:00
Justin Hutchings b5a1aee21a Add debugging 2024-03-04 19:45:36 +00:00
Justin Hutchings b3d2872ac7 Update dist 2024-03-04 19:39:13 +00:00
Justin Hutchings 5bace73db3 Fix undefined/null checks 2024-03-04 19:38:52 +00:00
Justin Hutchings f8ebb4b946 Add formatting around warning for low scorecard levels 2024-03-04 19:34:29 +00:00
laughedelic 84b80e6e84 add checks for the outputs 2024-03-04 19:53:14 +01:00
Justin Hutchings 1251834b92 Add dependencies without scorecards to scorecards table 2024-03-04 18:51:52 +00:00
Justin Hutchings 94125c4b1e Fix formatting issues 2024-03-04 18:38:53 +00:00
Justin Hutchings 9843156266 Improve summary formatting 2024-03-04 18:28:43 +00:00
Justin Hutchings 2fcc6a1c72 Fix config implementation 2024-03-04 18:17:53 +00:00
Justin Hutchings ea64ae9d4d Fix config mapping issue 2024-03-04 18:11:46 +00:00
Justin Hutchings 5955069e69 Add debugging 2024-03-04 18:04:06 +00:00
laughedelic 05fcfa49e0 add a note about outputs size limit 2024-03-04 18:58:48 +01:00
laughedelic 75be7f0c0c clarify docs, add a usage example 2024-03-04 18:53:03 +01:00
Justin Hutchings 7d2e20d06d Stub out summary implementation for scorecards 2024-03-04 17:52:17 +00:00
Jon Janego 97f7ba06d0 Update CONTRIBUTING.md
some more examples of good contribution standards
2024-03-04 10:31:16 -06:00
Justin Hutchings 2bc3ecb19b Fix type issues 2024-03-03 06:50:11 +00:00
Justin Hutchings c286ea91b0 Add nullish to types 2024-03-03 06:08:47 +00:00
Justin Hutchings 6bcbf042ff Fix OpenSSF Scorecard Score retrieval 2024-03-03 05:59:37 +00:00
Justin Hutchings 43286afc54 Add debugging 2024-03-03 05:48:33 +00:00
Justin Hutchings 764e39e792 Attempt to fix type issues 2024-03-03 05:43:20 +00:00
Justin Hutchings bf2683a10c Fixing url error 2024-03-03 05:30:49 +00:00
Justin Hutchings f1b66d10c9 Remove dependency on PackageURL 2024-03-03 05:26:55 +00:00
Justin Hutchings ffd129c285 Refactor types, add printing 2024-03-03 05:24:07 +00:00
Justin Hutchings 72d5b06a68 Add more error handling 2024-03-03 01:34:03 +00:00
Justin Hutchings b2ddac1749 Remove custom type to go around errors 2024-03-03 01:27:54 +00:00
Justin Hutchings f357c751be fix extra slash 2024-03-03 01:21:27 +00:00
Justin Hutchings e16e218fdc Encode URI component to fix 404 2024-03-03 01:15:16 +00:00
Justin Hutchings f87cc241f7 Fixing bugs 2024-03-03 01:10:08 +00:00
Justin Hutchings d641d3a261 Fix bugs in scorecard 2024-03-03 01:05:36 +00:00
Justin Hutchings 4230610a70 Add exception handling 2024-03-03 00:46:24 +00:00
Justin Hutchings af5438b06f Add debugging 2024-03-03 00:31:13 +00:00
Justin Hutchings 781bff117a Fix prettier issues, and JSON error in main 2024-03-03 00:25:40 +00:00
Justin Hutchings 7a8ce509c9 Update dist 2024-03-03 00:17:26 +00:00
Justin Hutchings f419e37c19 Fix build breaks 2024-03-03 00:15:42 +00:00
Justin Hutchings 3d70a3cf05 Draft integration with deps.dev 2024-03-02 22:37:50 +00:00
laughedelic e7aef164a1 chore: build and package 2024-03-02 05:10:30 +01:00
laughedelic ab8c3848de docs: update readme 2024-03-02 05:09:49 +01:00
laughedelic eecc9aab88 feat: add action outputs for different types of changes 2024-03-02 04:55:58 +01:00
dependabot[bot] 7f632dbe1f Bump eslint-plugin-jest from 27.6.3 to 27.9.0
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.6.3 to 27.9.0.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.6.3...v27.9.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-26 01:35:46 +00:00
dependabot[bot] ba18fafa8d Bump nodemon from 3.0.3 to 3.1.0
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.3 to 3.1.0.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.3...v3.1.0)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-26 01:35:37 +00:00
Federico Builes 40eb2b8b00 Merge pull request #698 from jsoref/set-comment-as-output
Set comment as output
2024-02-21 12:36:50 +01:00
Josh Soref db6a5119ce Set comment as output
Move the logic from the caller as a negation instead of trying to
negate it by hand.
2024-02-20 14:19:19 -05:00
Federico Builes 9129d7d40b don't set output on every run 2024-02-20 18:47:36 +01:00
Jon Janego a1be843151 Update stale.yaml
Adding stale checks to issues
2024-02-20 10:25:09 -06:00
Federico Builes 587ff57efd Don't use if: always() in examples. 2024-02-19 18:11:35 +01:00
Federico Builes be8bc500ee Merge branch 'output-comment' 2024-02-19 17:26:04 +01:00
Federico Builes cb180bf383 Merge pull request #696 from actions/output-comment
Expose dependency comment content
2024-02-19 17:23:55 +01:00
Federico Builes b2ea187fd2 bumping action version 2024-02-19 17:21:55 +01:00
Federico Builes c94f57ba90 Add a new image for the example report. 2024-02-19 17:18:02 +01:00
Federico Builes 124fafe31e Merge branch 'issue-250' into output-comment 2024-02-19 17:12:19 +01:00
Federico Builes 26174d80a2 Merge branch 'issue-250' of https://github.com/jsoref/dependency-review-action into issue-250 2024-02-19 17:12:08 +01:00
Federico Builes a87338ac8a Update example workflow. 2024-02-19 17:10:11 +01:00
Josh Soref 64f81cd2da Expose dependency comment content 2024-02-19 11:07:56 -05:00
Josh Soref 0ca1f606a4 Report action input names 2024-02-19 11:07:42 -05:00
Josh Soref d416fb5267 Add minimal alt text to README 2024-02-19 11:07:19 -05:00
Josh Soref 81bba5eb54 Remove /en/ from doc links
The docs server will redirect based on the user's browser's
preference.
2024-02-19 11:07:07 -05:00
Josh Soref f9daaa3561 Remove obsolete reference to GHES 3.8
GHES 3.7 reached EOL 2024-01-04, as such all GHES versions should be supported.
2024-02-19 11:06:54 -05:00
Josh Soref 60c44a0894 Remove obsolete references to GHES 3.6
GHES 3.6 reached EOL 2023-09-25.
2024-02-19 11:06:54 -05:00
Federico Builes 7911825c25 Point directly to DR API. 2024-02-19 16:38:15 +01:00
Federico Builes ad040f4b88 adding dist/ 2024-02-19 16:22:53 +01:00
Josh Soref 2876926e7f Expose dependency comment content 2024-02-19 10:09:03 -05:00
Josh Soref 47a0fcbcd4 Report action input names 2024-02-19 10:06:32 -05:00
Josh Soref da507e61ac Add minimal alt text to README 2024-02-19 10:06:32 -05:00
Josh Soref 0034949d8d Remove /en/ from doc links
The docs server will redirect based on the user's browser's
preference.
2024-02-19 10:06:32 -05:00
Josh Soref f1706f5a9d Remove obsolete reference to GHES 3.8
GHES 3.7 reached EOL 2024-01-04, as such all GHES versions should be supported.
2024-02-19 09:49:21 -05:00
Josh Soref a569f6fc5c Remove obsolete references to GHES 3.6
GHES 3.6 reached EOL 2023-09-25.
2024-02-19 09:49:21 -05:00
Federico Builes fd07d42ce8 bumping to 4.1.1 2024-02-19 10:03:58 +01:00
Federico Builes 77290ae4a1 bump transitive dep on undici 2024-02-19 10:03:58 +01:00
Federico Builes 9411082069 Merge pull request #693 from actions/dependabot/npm_and_yarn/types/node-20.11.19
Bump @types/node from 20.11.17 to 20.11.19
2024-02-19 08:54:35 +01:00
dependabot[bot] 73d8c1b981 Bump @types/node from 20.11.17 to 20.11.19
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.17 to 20.11.19.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-19 01:24:57 +00:00
Federico Builes 80f10bf419 Bump to 4.1.0. 2024-02-14 08:13:14 +01:00
Federico Builes 17728c80ab Merge pull request #689 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.21.0
Bump @typescript-eslint/eslint-plugin from 6.20.0 to 6.21.0
2024-02-12 06:31:08 +01:00
dependabot[bot] 0ac4f80276 Bump @typescript-eslint/eslint-plugin from 6.20.0 to 6.21.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.20.0 to 6.21.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.21.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 05:29:22 +00:00
Federico Builes 1ebcf1475c Merge pull request #690 from actions/dependabot/npm_and_yarn/types/node-20.11.17
Bump @types/node from 20.11.10 to 20.11.17
2024-02-12 06:28:34 +01:00
Federico Builes 5777ce6aec Merge pull request #688 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.21.0
Bump @typescript-eslint/parser from 6.20.0 to 6.21.0
2024-02-12 06:28:19 +01:00
Federico Builes 37dd5f9e8a Merge pull request #687 from actions/dependabot/npm_and_yarn/ts-jest-29.1.2
Bump ts-jest from 29.1.1 to 29.1.2
2024-02-12 06:28:12 +01:00
dependabot[bot] 6c2af06a9d Bump @types/node from 20.11.10 to 20.11.17
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.10 to 20.11.17.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:14:23 +00:00
dependabot[bot] 58d70bd41a Bump @typescript-eslint/parser from 6.20.0 to 6.21.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.20.0 to 6.21.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.21.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:14:01 +00:00
dependabot[bot] 972c2b36d8 Bump ts-jest from 29.1.1 to 29.1.2
Bumps [ts-jest](https://github.com/kulshekhar/ts-jest) from 29.1.1 to 29.1.2.
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.1.1...v29.1.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:13:48 +00:00
Justin Holguín 60f93ef4a0 Merge pull request #432 from tgrall/issue-431-fail-on-severity-none
Add none as option for fail-on-severity
2024-02-11 14:00:39 -08:00
tgrall c2936a6e3e fix reviewed done by @juxtin - bad line in yml 2024-02-10 09:20:39 +01:00
Federico Builes ba2d570913 Merge pull request #682 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.20.0
Bump @typescript-eslint/eslint-plugin from 6.19.1 to 6.20.0
2024-02-05 07:57:39 +01:00
dependabot[bot] 629b4c97dd Bump @typescript-eslint/eslint-plugin from 6.19.1 to 6.20.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.19.1 to 6.20.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.20.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 06:56:33 +00:00
Federico Builes 58e8c75f3b Merge pull request #684 from actions/dependabot/npm_and_yarn/got-14.2.0
Bump got from 14.0.0 to 14.2.0
2024-02-05 07:55:50 +01:00
dependabot[bot] 8db04ed44f Bump got from 14.0.0 to 14.2.0
Bumps [got](https://github.com/sindresorhus/got) from 14.0.0 to 14.2.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.0.0...v14.2.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 06:55:44 +00:00
Federico Builes b3aa197a26 Merge pull request #683 from actions/dependabot/npm_and_yarn/prettier-3.2.5
Bump prettier from 3.2.4 to 3.2.5
2024-02-05 07:55:42 +01:00
Federico Builes 4e78eb60ef Merge pull request #681 from actions/dependabot/npm_and_yarn/types/jest-29.5.12
Bump @types/jest from 29.5.11 to 29.5.12
2024-02-05 07:54:49 +01:00
Federico Builes 65f749b96d Merge pull request #680 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.20.0
Bump @typescript-eslint/parser from 6.18.1 to 6.20.0
2024-02-05 07:54:36 +01:00
dependabot[bot] 0043ed5ccb Bump prettier from 3.2.4 to 3.2.5
Bumps [prettier](https://github.com/prettier/prettier) from 3.2.4 to 3.2.5.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.4...3.2.5)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:36 +00:00
dependabot[bot] 52933765bf Bump @types/jest from 29.5.11 to 29.5.12
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 29.5.11 to 29.5.12.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: "@types/jest"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:18 +00:00
dependabot[bot] 6a6f26102b Bump @typescript-eslint/parser from 6.18.1 to 6.20.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.18.1 to 6.20.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.20.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:11 +00:00
tgrall 8f3df4d674 fix ci failure on format-check 2024-02-02 06:09:20 +01:00
tgrall 98e8293881 Update Readme and action.yml based on review comments 2024-02-01 06:03:53 +01:00
Justin Holguín 748888b3fd Merge pull request #665 from actions/dependabot/npm_and_yarn/prettier-3.2.4
Bump prettier from 3.1.1 to 3.2.4
2024-01-31 14:19:36 -08:00
Justin Holguín 4dffb75625 Run prettier --write 2024-01-31 22:09:37 +00:00
Justin Holguín 9e50351924 Merge pull request #678 from actions/juxtin/codeql-ignore-dist
Use manual codeql config
2024-01-31 13:49:51 -08:00
Justin Holguín 0812876f7c Update codeql.yml 2024-01-31 13:44:54 -08:00
Justin Holguín 4f37a60d4f Create codeql.yml 2024-01-31 13:36:31 -08:00
dependabot[bot] c0518321c3 Bump prettier from 3.1.1 to 3.2.4
Bumps [prettier](https://github.com/prettier/prettier) from 3.1.1 to 3.2.4.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.1.1...3.2.4)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-31 18:57:22 +00:00
Justin Holguín 0229309241 Merge pull request #673 from actions/dependabot/npm_and_yarn/nodemon-3.0.3
Bump nodemon from 3.0.2 to 3.0.3
2024-01-31 10:56:20 -08:00
Jon Janego c664fc5964 Update examples.md
spelling
2024-01-31 12:43:08 -06:00
Federico Builes a7da313c35 Merge pull request #675 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.19.1
Bump @typescript-eslint/eslint-plugin from 6.18.1 to 6.19.1
2024-01-29 07:50:12 +01:00
Federico Builes 8953f45584 Merge pull request #674 from actions/dependabot/npm_and_yarn/types/node-20.11.10
Bump @types/node from 20.11.5 to 20.11.10
2024-01-29 07:49:59 +01:00
dependabot[bot] d93026fc89 Bump @typescript-eslint/eslint-plugin from 6.18.1 to 6.19.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.18.1 to 6.19.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.19.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:35:06 +00:00
dependabot[bot] 5a2ac62566 Bump @types/node from 20.11.5 to 20.11.10
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.5 to 20.11.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:34:51 +00:00
dependabot[bot] 0f007f69b1 Bump nodemon from 3.0.2 to 3.0.3
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.2...v3.0.3)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:34:40 +00:00
tgrall 05d861260a finalize testing 2024-01-28 15:54:59 +01:00
tgrall 2c526853b4 new debug test 2024-01-28 15:51:39 +01:00
tgrall 9e251a5913 dist 2024-01-28 15:00:36 +01:00
tgrall ee5bd475ba debug behavior 2024-01-28 14:59:04 +01:00
tgrall b0a705da21 Fix license printing bug in main.ts 2024-01-28 14:54:28 +01:00
tgrall 0bab6ffc2c Fix vulnerability check to print warnings instead
of failing
2024-01-28 14:54:14 +01:00
tgrall f91404ca86 set status to low when warn-only is set to true 2024-01-28 14:35:44 +01:00
tgrall d6f324d18a fix typo in readme 2024-01-28 14:24:12 +01:00
tgrall f1576849e6 package the action 2024-01-28 10:58:10 +01:00
tgrall fc49851780 merge from main and fix code review comment from @juxtin 2024-01-28 10:16:07 +01:00
Jon Janego d53388efe8 Merge pull request #671 from jonjanego/main
Create stale.yaml
2024-01-26 10:09:43 -06:00
Jon Janego 56991330a3 Update stale.yaml
assigning explicit permissions
2024-01-26 09:15:48 -06:00
Jon Janego a824acd5d7 Create stale.yaml 2024-01-25 13:49:10 -06:00
Federico Builes 935098a950 updating @types/node to Node 20 2024-01-22 07:54:40 +01:00
Federico Builes b658b91622 Merge pull request #669 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.6.3
Bump eslint-plugin-jest from 27.6.0 to 27.6.3
2024-01-22 07:40:35 +01:00
dependabot[bot] d16453ab26 Bump eslint-plugin-jest from 27.6.0 to 27.6.3
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.6.0 to 27.6.3.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.6.0...v27.6.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 06:38:10 +00:00
Federico Builes 0381eac2bc Merge pull request #667 from actions/dependabot/npm_and_yarn/eslint-plugin-prettier-5.1.3
Bump eslint-plugin-prettier from 5.1.2 to 5.1.3
2024-01-22 07:36:52 +01:00
dependabot[bot] 1967b21a03 Bump eslint-plugin-prettier from 5.1.2 to 5.1.3
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.1.2 to 5.1.3.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.2...v5.1.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 01:15:42 +00:00
Federico Builes 4cd9eb2d23 Updating docs to point to v4. 2024-01-18 14:23:52 +01:00
Federico Builes 4901385134 bump to 4.0.0 2024-01-18 13:57:38 +01:00
Federico Builes dbf82a4a5e Merge pull request #639 from takost/takost/update-to-node-20
Update action to node20
2024-01-18 13:52:05 +01:00
Federico Builes 78aeb2a948 Merge pull request #663 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.18.1
Bump @typescript-eslint/parser from 6.18.0 to 6.18.1
2024-01-15 06:39:13 +01:00
dependabot[bot] 4e510006f5 Bump @typescript-eslint/parser from 6.18.0 to 6.18.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.18.0 to 6.18.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 05:38:23 +00:00
Federico Builes 9560737c5e Merge pull request #661 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.18.1
Bump @typescript-eslint/eslint-plugin from 6.18.0 to 6.18.1
2024-01-15 06:37:15 +01:00
Federico Builes 4125f47f7e Merge pull request #660 from actions/dependabot/npm_and_yarn/types/node-16.18.70
Bump @types/node from 16.18.62 to 16.18.70
2024-01-15 06:37:05 +01:00
dependabot[bot] 07cc93e0c8 Bump @typescript-eslint/eslint-plugin from 6.18.0 to 6.18.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.18.0 to 6.18.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 01:21:13 +00:00
dependabot[bot] e2c203b8b7 Bump @types/node from 16.18.62 to 16.18.70
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.62 to 16.18.70.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 01:20:53 +00:00
Federico Builes f0b304d0bc Merge pull request #653 from actions/dependabot/npm_and_yarn/got-14.0.0
Bump got from 13.0.0 to 14.0.0
2024-01-09 13:24:33 +01:00
Federico Builes e41543eaf0 Merge pull request #656 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.18.0
Bump @typescript-eslint/parser from 6.16.0 to 6.18.0
2024-01-08 11:50:44 +01:00
dependabot[bot] 8ded6194d1 Bump @typescript-eslint/parser from 6.16.0 to 6.18.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.16.0 to 6.18.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 10:46:03 +00:00
Federico Builes b5f60d5e37 Merge pull request #657 from actions/dependabot/npm_and_yarn/typescript-5.3.3
Bump typescript from 5.3.2 to 5.3.3
2024-01-08 11:45:16 +01:00
Federico Builes 45fc3f5adc Merge pull request #655 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.18.0
Bump @typescript-eslint/eslint-plugin from 6.15.0 to 6.18.0
2024-01-08 11:44:58 +01:00
Federico Builes c8593625f2 Merge pull request #654 from actions/dependabot/npm_and_yarn/eslint-plugin-prettier-5.1.2
Bump eslint-plugin-prettier from 5.0.1 to 5.1.2
2024-01-08 11:44:42 +01:00
dependabot[bot] d2ca024914 Bump typescript from 5.3.2 to 5.3.3
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.3.2 to 5.3.3.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.3.2...v5.3.3)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:27:41 +00:00
dependabot[bot] 9649fc68a8 Bump @typescript-eslint/eslint-plugin from 6.15.0 to 6.18.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.15.0 to 6.18.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:27:04 +00:00
dependabot[bot] 2ac94ccf28 Bump eslint-plugin-prettier from 5.0.1 to 5.1.2
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.0.1 to 5.1.2.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.0.1...v5.1.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:26:42 +00:00
dependabot[bot] 925e3a5871 Bump got from 13.0.0 to 14.0.0
Bumps [got](https://github.com/sindresorhus/got) from 13.0.0 to 14.0.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v13.0.0...v14.0.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:26:34 +00:00
Henri Maurer ab6f73d40f Merge pull request #621 from actions/dependabot/npm_and_yarn/octokit-3.1.2
Bump octokit from 2.1.0 to 3.1.2
2024-01-05 09:38:43 +00:00
Henri Maurer 746e9675d6 npm run package 2024-01-05 09:37:10 +00:00
Henri Maurer 3735443721 update @octokit/* and @actions/* 2024-01-05 09:36:49 +00:00
dependabot[bot] 44bab84b22 Bump octokit from 2.1.0 to 3.1.2
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.1.0 to 3.1.2.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.1.0...v3.1.2)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-04 16:51:50 +00:00
Henri Maurer 8690720eb6 Merge pull request #652 from actions/dependabot/npm_and_yarn/octokit/webhooks-10.9.2
Bump @octokit/webhooks from 10.9.1 to 10.9.2
2024-01-04 16:48:16 +00:00
Henri Maurer e03c8a14eb npm run all 2024-01-04 16:46:59 +00:00
dependabot[bot] 194e338d30 Bump @octokit/webhooks from 10.9.1 to 10.9.2
Bumps [@octokit/webhooks](https://github.com/octokit/webhooks.js) from 10.9.1 to 10.9.2.
- [Release notes](https://github.com/octokit/webhooks.js/releases)
- [Commits](https://github.com/octokit/webhooks.js/compare/v10.9.1...v10.9.2)

---
updated-dependencies:
- dependency-name: "@octokit/webhooks"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-04 16:40:33 +00:00
Henri Maurer 1d740b64ec Merge pull request #642 from actions/dependabot/github_actions/actions/upload-artifact-4
Bump actions/upload-artifact from 3 to 4
2024-01-04 16:40:31 +00:00
Henri Maurer c74b580d73 Merge pull request #651 from actions/release-3.1.5
Bump version to 3.1.5
2024-01-04 15:06:44 +00:00
Henri Maurer cc4f6536e3 Release 3.1.5 2024-01-04 15:05:38 +00:00
Henri Maurer d2ed7c0d19 Merge pull request #649 from actions/per-page
Smaller `per_page` when requesting diff
2024-01-04 14:33:15 +00:00
Henri Maurer 9e77cc7329 npm run package 2024-01-04 10:49:05 +00:00
Henri Maurer b383a9aa6e Smaller per_page when requesting diff 2024-01-04 10:17:51 +00:00
Federico Builes 8a49820431 Merge pull request #646 from actions/dependabot/npm_and_yarn/prettier-3.1.1
Bump prettier from 3.1.0 to 3.1.1
2024-01-01 08:02:27 -05:00
Federico Builes a10a70d24c Merge pull request #645 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.16.0
Bump @typescript-eslint/parser from 6.13.1 to 6.16.0
2024-01-01 08:02:14 -05:00
dependabot[bot] 0de163860f Bump prettier from 3.1.0 to 3.1.1
Bumps [prettier](https://github.com/prettier/prettier) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.1.0...3.1.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 01:27:06 +00:00
dependabot[bot] 522f0218d0 Bump @typescript-eslint/parser from 6.13.1 to 6.16.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.13.1 to 6.16.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.16.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 01:26:56 +00:00
Federico Builes 2597ca4eee Merge pull request #640 from actions/dependabot/npm_and_yarn/eslint-8.56.0
Bump eslint from 8.53.0 to 8.56.0
2023-12-28 12:27:10 -05:00
dependabot[bot] e5c6735807 Bump eslint from 8.53.0 to 8.56.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.53.0 to 8.56.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.53.0...v8.56.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-28 15:37:40 +00:00
Federico Builes 94f992f10e Merge pull request #644 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.15.0
Bump @typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0
2023-12-28 10:36:29 -05:00
dependabot[bot] c45cbd720f Bump @typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.12.0 to 6.15.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.15.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 01:37:54 +00:00
dependabot[bot] 5ccb7d478c Bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 01:54:59 +00:00
Tatyana Kostromskaya 02456f4a00 Merge branch 'main' into takost/update-to-node-20 2023-12-14 15:08:39 +00:00
Tatyana Kostromskaya 1c9a424cbc . 2023-12-14 15:06:21 +00:00
Federico Builes 2425542aca Merge pull request #638 from actions/fix-purls
Replace pip -> pypi in PURL examples
2023-12-11 17:25:43 +01:00
Federico Builes b39e17ba5e Replace pip -> pypi in PURL examples 2023-12-11 17:23:19 +01:00
Federico Builes b8a398b675 Merge pull request #636 from actions/dependabot/npm_and_yarn/nodemon-3.0.2
Bump nodemon from 3.0.1 to 3.0.2
2023-12-11 06:04:47 +01:00
Federico Builes 1612de9646 Merge pull request #637 from actions/dependabot/npm_and_yarn/types/jest-29.5.11
Bump @types/jest from 29.5.8 to 29.5.11
2023-12-11 06:04:33 +01:00
dependabot[bot] 53de591348 Bump @types/jest from 29.5.8 to 29.5.11
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 29.5.8 to 29.5.11.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: "@types/jest"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 01:51:35 +00:00
dependabot[bot] 288d543806 Bump nodemon from 3.0.1 to 3.0.2
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 01:51:24 +00:00
Federico Builes 359e1ffa80 Merge pull request #629 from actions/dependabot/npm_and_yarn/prettier-3.1.0
Bump prettier from 3.0.3 to 3.1.0
2023-12-04 08:58:13 +01:00
Federico Builes 63e1558807 Merge pull request #630 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.13.1
Bump @typescript-eslint/parser from 6.10.0 to 6.13.1
2023-12-04 08:57:52 +01:00
dependabot[bot] 069cbabe02 Bump @typescript-eslint/parser from 6.10.0 to 6.13.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.10.0 to 6.13.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.13.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 01:25:07 +00:00
dependabot[bot] 2e3c709016 Bump prettier from 3.0.3 to 3.1.0
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.3 to 3.1.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.3...3.1.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 01:24:49 +00:00
Federico Builes 01bc87099b bumping version 2023-11-28 08:11:14 +01:00
Federico Builes 4b4f0de8e1 Merge pull request #623 from actions/fix-advisory-filters
Fix GHSA Filtering
2023-11-28 08:10:11 +01:00
Federico Builes a93fa86c77 Fixing test name. 2023-11-28 08:08:29 +01:00
Federico Builes 550520e2c5 Merge pull request #624 from actions/dependabot/npm_and_yarn/typescript-5.3.2
Bump typescript from 5.2.2 to 5.3.2
2023-11-27 07:22:56 +01:00
Federico Builes 2d0fb60634 Merge pull request #625 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.12.0
Bump @typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0
2023-11-27 07:22:47 +01:00
dependabot[bot] c07c2375ed Bump @typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.11.0 to 6.12.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.12.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 01:17:05 +00:00
dependabot[bot] 4d842d754e Bump typescript from 5.2.2 to 5.3.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.2.2 to 5.3.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.2.2...v5.3.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 01:16:38 +00:00
Federico Builes a6d4686316 adding dist 2023-11-24 14:40:48 +01:00
Federico Builes 4366dbae42 Advisory filters should not drop entire dependencies. 2023-11-24 14:40:18 +01:00
Federico Builes 50dafeb5e4 Tiny logic refactor. 2023-11-24 14:37:30 +01:00
Federico Builes 1cbb048907 Merge pull request #620 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.11.0
Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.11.0
2023-11-20 08:33:40 +01:00
dependabot[bot] ee69e92054 Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.11.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.10.0 to 6.11.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.11.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 07:29:18 +00:00
Federico Builes 5991d7a97d Merge pull request #619 from actions/dependabot/npm_and_yarn/types/node-16.18.62
Bump @types/node from 16.18.61 to 16.18.62
2023-11-20 08:27:56 +01:00
dependabot[bot] c409735e58 Bump @types/node from 16.18.61 to 16.18.62
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.61 to 16.18.62.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 01:46:41 +00:00
Federico Builes 7bbfa034e7 bumping to 3.1.3 2023-11-13 17:57:44 +01:00
Federico Builes 26f1ad9120 Merge pull request #617 from theztefan/purl-encoding-error
Fixes purl "version must be percent-encoded"
2023-11-13 17:55:23 +01:00
Stefan Petrushevski 152d8e2def Prettier 2023-11-13 17:45:48 +01:00
Stefan Petrushevski b99756ecd3 encode string for pUrl 2023-11-13 17:19:24 +01:00
Federico Builes fde92acd08 Merge pull request #611 from actions/fix-https-proxy
Fix proxy failures in 3.1.1
2023-11-08 09:14:57 +01:00
Federico Builes a89dd96450 adding dist 2023-11-08 08:49:49 +01:00
Federico Builes 76891836b1 revert octokit changes 2023-11-08 08:47:43 +01:00
Federico Builes fc5e2db757 go back to Node 16 to skip using fetch API 2023-11-08 08:36:27 +01:00
Federico Builes ded987cb3b Downgrade usage of retries.
This commit reverts:

f7363549ac
76b050a607
8dc52cdbed
2023-11-08 08:35:44 +01:00
Federico Builes 9f45b2463b bumping to 3.1.1 2023-11-06 08:03:41 +01:00
Federico Builes 559513a56c Merge pull request #606 from actions/dependabot/npm_and_yarn/actions/github-6.0.0
Bump @actions/github from 5.1.1 to 6.0.0
2023-11-06 07:55:54 +01:00
Federico Builes 8edc431d7d Merge branch 'main' into dependabot/npm_and_yarn/actions/github-6.0.0 2023-11-06 07:52:53 +01:00
Federico Builes 3e8322e4bb Merge pull request #605 from actions/dependabot/npm_and_yarn/yaml-2.3.4
Bump yaml from 2.3.3 to 2.3.4
2023-11-06 07:51:31 +01:00
Federico Builes 5a55885447 adding dist 2023-11-06 07:50:51 +01:00
Federico Builes f952b5a2c5 Merge branch 'main' into dependabot/npm_and_yarn/yaml-2.3.4 2023-11-06 07:48:24 +01:00
Federico Builes 8678cfac42 Merge pull request #607 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.9.1
Bump @typescript-eslint/eslint-plugin from 6.9.0 to 6.9.1
2023-11-06 07:47:08 +01:00
Federico Builes aa8e70d588 adding dist 2023-11-06 07:46:52 +01:00
Federico Builes 3331d25f9d adding dist 2023-11-06 07:42:40 +01:00
dependabot[bot] 2af83f55fa Bump @actions/github from 5.1.1 to 6.0.0
Bumps [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) from 5.1.1 to 6.0.0.
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/github"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 06:42:18 +00:00
dependabot[bot] 0d3cf5ba9e Bump @typescript-eslint/eslint-plugin from 6.9.0 to 6.9.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.9.0 to 6.9.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.9.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 06:42:16 +00:00
Federico Builes b2a5ead1f7 Merge pull request #604 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.9.1
Bump @typescript-eslint/parser from 6.8.0 to 6.9.1
2023-11-06 07:41:16 +01:00
Federico Builes 79f0a0b62b Merge pull request #603 from actions/dependabot/npm_and_yarn/actions/core-1.10.1
Bump @actions/core from 1.10.0 to 1.10.1
2023-11-06 07:40:58 +01:00
Federico Builes fc44602899 adding dist 2023-11-06 07:40:46 +01:00
dependabot[bot] 7177991451 Bump yaml from 2.3.3 to 2.3.4
Bumps [yaml](https://github.com/eemeli/yaml) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.3...v2.3.4)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 01:17:54 +00:00
dependabot[bot] 90fe789d91 Bump @typescript-eslint/parser from 6.8.0 to 6.9.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.8.0 to 6.9.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.9.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 01:17:45 +00:00
dependabot[bot] 5cbf74f675 Bump @actions/core from 1.10.0 to 1.10.1
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.10.0 to 1.10.1.
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 01:17:31 +00:00
Federico Builes 11e0dead9a Merge pull request #598 from actions/dependabot/npm_and_yarn/packageurl-js-1.2.0
Bump packageurl-js from 1.0.2 to 1.2.0
2023-10-30 09:43:41 +01:00
Federico Builes 3c1cb72dcd updating dist 2023-10-30 09:31:26 +01:00
Federico Builes 570a2b5dcd Merge pull request #597 from actions/dependabot/npm_and_yarn/eslint-8.52.0
Bump eslint from 8.51.0 to 8.52.0
2023-10-30 09:28:21 +01:00
Federico Builes a7e01b8d9c Merge pull request #599 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.9.0
Bump @typescript-eslint/eslint-plugin from 6.8.0 to 6.9.0
2023-10-30 09:28:05 +01:00
dependabot[bot] 168567cd17 Bump eslint from 8.51.0 to 8.52.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.51.0 to 8.52.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.51.0...v8.52.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 08:25:08 +00:00
dependabot[bot] 1d86ff759b Bump @typescript-eslint/eslint-plugin from 6.8.0 to 6.9.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.8.0 to 6.9.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.9.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 08:25:07 +00:00
Federico Builes 0631089c32 Merge pull request #596 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.6.0
Bump eslint-plugin-jest from 27.4.2 to 27.6.0
2023-10-30 09:24:44 +01:00
Federico Builes 0b8ffde994 Merge pull request #600 from actions/dependabot/npm_and_yarn/types/spdx-satisfies-0.1.1
Bump @types/spdx-satisfies from 0.1.0 to 0.1.1
2023-10-30 09:23:36 +01:00
Federico Builes 68d57cd360 Merge pull request #601 from actions/dependabot/github_actions/actions/setup-node-4
Bump actions/setup-node from 3 to 4
2023-10-30 09:22:44 +01:00
dependabot[bot] 7314a0c1f5 Bump actions/setup-node from 3 to 4
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3 to 4.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 01:40:15 +00:00
dependabot[bot] cfeea91bf4 Bump @types/spdx-satisfies from 0.1.0 to 0.1.1
Bumps [@types/spdx-satisfies](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/spdx-satisfies) from 0.1.0 to 0.1.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/spdx-satisfies)

---
updated-dependencies:
- dependency-name: "@types/spdx-satisfies"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 01:08:35 +00:00
dependabot[bot] c8515ab391 Bump packageurl-js from 1.0.2 to 1.2.0
Bumps [packageurl-js](https://github.com/package-url/packageurl-js) from 1.0.2 to 1.2.0.
- [Changelog](https://github.com/package-url/packageurl-js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/package-url/packageurl-js/compare/v1.0.2...v1.2.0)

---
updated-dependencies:
- dependency-name: packageurl-js
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 01:07:56 +00:00
dependabot[bot] cff52fd316 Bump eslint-plugin-jest from 27.4.2 to 27.6.0
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.4.2 to 27.6.0.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.4.2...v27.6.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 01:07:31 +00:00
Federico Builes e65eb02ccf Merge pull request #591 from actions/dependabot/npm_and_yarn/typescript-5.2.2
Bump typescript from 4.9.5 to 5.2.2
2023-10-23 12:27:41 +02:00
Federico Builes 88953c2b16 updating dist 2023-10-23 12:26:03 +02:00
Federico Builes d97416955e Merge pull request #594 from actions/dependabot/npm_and_yarn/babel/traverse-7.23.2
Bump @babel/traverse from 7.23.0 to 7.23.2
2023-10-23 06:57:28 +02:00
dependabot[bot] 523c9a28aa Bump @babel/traverse from 7.23.0 to 7.23.2
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.23.0 to 7.23.2.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse)

---
updated-dependencies:
- dependency-name: "@babel/traverse"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 04:56:30 +00:00
dependabot[bot] f85d4d5bc2 Bump typescript from 4.9.5 to 5.2.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.9.5 to 5.2.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.9.5...v5.2.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 03:19:39 +00:00
Federico Builes 89ff65dbf7 Merge pull request #589 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.10.1
Bump eslint-plugin-github from 4.9.2 to 4.10.1
2023-10-23 05:18:52 +02:00
Federico Builes c3c32181a9 Merge pull request #592 from actions/dependabot/npm_and_yarn/types/spdx-expression-parse-3.0.4
Bump @types/spdx-expression-parse from 3.0.3 to 3.0.4
2023-10-23 05:18:42 +02:00
Federico Builes ead6e4616f Merge pull request #593 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.8.0
Bump @typescript-eslint/parser from 6.7.3 to 6.8.0
2023-10-23 05:18:25 +02:00
dependabot[bot] a265e18106 Bump @types/spdx-expression-parse from 3.0.3 to 3.0.4
Bumps [@types/spdx-expression-parse](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/spdx-expression-parse) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/spdx-expression-parse)

---
updated-dependencies:
- dependency-name: "@types/spdx-expression-parse"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 03:13:32 +00:00
dependabot[bot] a8759965d7 Bump @typescript-eslint/parser from 6.7.3 to 6.8.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.7.3 to 6.8.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.8.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 03:13:20 +00:00
Federico Builes 954314c2b1 Merge pull request #590 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.8.0
Bump @typescript-eslint/eslint-plugin from 6.7.5 to 6.8.0
2023-10-23 05:11:58 +02:00
dependabot[bot] 5b62f3bc06 Bump @typescript-eslint/eslint-plugin from 6.7.5 to 6.8.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.7.5 to 6.8.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.8.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 01:57:41 +00:00
dependabot[bot] fddf4c3474 Bump eslint-plugin-github from 4.9.2 to 4.10.1
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.9.2 to 4.10.1.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.9.2...v4.10.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 01:57:14 +00:00
Federico Builes 04e56a4409 Merge pull request #586 from actions/dependabot/npm_and_yarn/yaml-2.3.3
Bump yaml from 2.3.2 to 2.3.3
2023-10-16 05:39:42 +02:00
Federico Builes af51c4b700 adding dist 2023-10-16 03:44:04 +02:00
dependabot[bot] bd3b04e194 Bump yaml from 2.3.2 to 2.3.3
Bumps [yaml](https://github.com/eemeli/yaml) from 2.3.2 to 2.3.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.2...v2.3.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:43:15 +00:00
Federico Builes 382d2873a9 Merge pull request #585 from actions/dependabot/npm_and_yarn/types/spdx-expression-parse-3.0.3
Bump @types/spdx-expression-parse from 3.0.2 to 3.0.3
2023-10-16 03:42:54 +02:00
dependabot[bot] 500120a761 Bump @types/spdx-expression-parse from 3.0.2 to 3.0.3
Bumps [@types/spdx-expression-parse](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/spdx-expression-parse) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/spdx-expression-parse)

---
updated-dependencies:
- dependency-name: "@types/spdx-expression-parse"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:41:27 +00:00
Federico Builes 212ded88b2 Merge pull request #584 from actions/dependabot/npm_and_yarn/eslint-plugin-prettier-5.0.1
Bump eslint-plugin-prettier from 5.0.0 to 5.0.1
2023-10-16 03:41:10 +02:00
Federico Builes 7ec89343e1 Merge pull request #587 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.7.5
Bump @typescript-eslint/eslint-plugin from 6.7.2 to 6.7.5
2023-10-16 03:40:22 +02:00
Federico Builes 536cc3d4b6 Merge pull request #588 from actions/dependabot/npm_and_yarn/types/node-16.18.58
Bump @types/node from 16.18.54 to 16.18.58
2023-10-16 03:40:11 +02:00
dependabot[bot] 2bc52c6348 Bump @types/node from 16.18.54 to 16.18.58
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.54 to 16.18.58.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:17:28 +00:00
dependabot[bot] fe9d8a52c4 Bump @typescript-eslint/eslint-plugin from 6.7.2 to 6.7.5
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.7.2 to 6.7.5.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.7.5/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:17:14 +00:00
dependabot[bot] bd251cc9eb Bump eslint-plugin-prettier from 5.0.0 to 5.0.1
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.0.0...v5.0.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:16:34 +00:00
Federico Builes 7e65a9bb48 Merge branch 'update-octokit' 2023-10-09 13:39:21 +02:00
Federico Builes b91ea51364 updating dist. 2023-10-09 13:34:29 +02:00
Federico Builes 76b050a607 Use octokit-rest for the PR comments client. 2023-10-09 13:34:14 +02:00
Federico Builes e6d6badddb Update jest. 2023-10-09 13:33:55 +02:00
Federico Builes f7363549ac use octokit plugins 2023-10-09 13:20:24 +02:00
Federico Builes f71a906c2e Update plugins. 2023-10-09 13:17:54 +02:00
Federico Builes 03ace23f96 Update Node JS version. 2023-10-09 12:36:16 +02:00
Federico Builes 0564d6f4de adding dist 2023-10-09 11:41:16 +02:00
dependabot[bot] cd09f857a3 Bump octokit from 2.1.0 to 3.1.1
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.1.0 to 3.1.1.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.1.0...v3.1.1)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 09:38:02 +00:00
Federico Builes 69a61b613b updating dist 2023-10-09 11:36:34 +02:00
Federico Builes 53eb1ebcf5 Merge branch 'update-request-errors' 2023-10-09 11:36:00 +02:00
Federico Builes e8634671a4 Merge pull request #583 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.4.2
Bump eslint-plugin-jest from 27.2.3 to 27.4.2
2023-10-09 10:25:41 +02:00
Federico Builes 69ecf4db79 Merge pull request #582 from actions/dependabot/npm_and_yarn/eslint-8.51.0
Bump eslint from 8.48.0 to 8.51.0
2023-10-09 10:25:28 +02:00
dependabot[bot] 70835908ea Bump eslint-plugin-jest from 27.2.3 to 27.4.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.2.3 to 27.4.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.2.3...v27.4.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 01:37:39 +00:00
dependabot[bot] f704f55fa1 Bump eslint from 8.48.0 to 8.51.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.48.0 to 8.51.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.48.0...v8.51.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 01:37:24 +00:00
Federico Builes e51d18ae1e updating dist 2023-10-05 17:15:27 +02:00
Federico Builes 62f26a66d6 bumping zod 2023-10-05 17:14:25 +02:00
Federico Builes 2f836bbce6 Merge pull request #580 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.7.3
Bump @typescript-eslint/parser from 6.6.0 to 6.7.3
2023-10-01 21:21:28 -05:00
dependabot[bot] 75dbba1acf Bump @typescript-eslint/parser from 6.6.0 to 6.7.3
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.6.0 to 6.7.3.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.7.3/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 02:15:09 +00:00
Federico Builes 8325453339 Merge pull request #579 from actions/dependabot/npm_and_yarn/vercel/ncc-0.38.0
Bump @vercel/ncc from 0.36.1 to 0.38.0
2023-10-01 21:13:34 -05:00
dependabot[bot] 353956d50d Bump @vercel/ncc from 0.36.1 to 0.38.0
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.36.1 to 0.38.0.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.36.1...0.38.0)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 01:59:34 +00:00
Federico Builes 4e41165d4b Merge pull request #577 from jsoref/modernize-versions
Modernize versions
2023-09-27 13:46:13 -05:00
Josh Soref cf3393ef0a Drop references to v2 from README
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2023-09-27 12:53:32 -04:00
Josh Soref 8213a1db10 Use checkout@v4
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2023-09-27 12:53:32 -04:00
Federico Builes 64a6d1a0b8 Merge pull request #571 from actions/dependabot/npm_and_yarn/types/node-16.18.54
Bump @types/node from 16.18.48 to 16.18.54
2023-09-26 12:24:33 -05:00
Federico Builes 364de25b16 Merge pull request #573 from actions/dependabot/npm_and_yarn/prettier-3.0.3
Bump prettier from 3.0.2 to 3.0.3
2023-09-26 12:24:18 -05:00
dependabot[bot] 1f5e4f1cd9 Bump prettier from 3.0.2 to 3.0.3
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:30:59 +00:00
dependabot[bot] fcb0293419 Bump @types/node from 16.18.48 to 16.18.54
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.48 to 16.18.54.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:30:38 +00:00
tgrall 3b37a4ef1c update documentation 2023-06-14 09:17:26 +02:00
tgrall 13c4496f31 update doc 2023-06-14 09:12:19 +02:00
tgrall 7ed3405bdc warn_only_test_ 2023-06-14 08:55:38 +02:00
tgrall 9b290a185a fix ini of warn-only param 2023-06-13 09:44:03 +02:00
tgrall 995bb847a3 new dev 2023-06-13 09:34:12 +02:00
tgrall f1e6d67732 wan only 2023-06-13 09:29:10 +02:00
tgrall d833109d4d new build 2023-06-13 08:54:16 +02:00
tgrall a3a8a9c756 new build 2023-06-12 13:56:53 +02:00
tgrall 0b053fccb4 add new parameter warn_only 2023-06-12 11:26:44 +02:00
Courtney Claessens 78f160dece Update README.md
swap order to follow what's in the table
2023-04-03 15:57:39 -04:00
tgrall cc302f4c2b fix linter/format 2023-03-20 09:07:07 +01:00
tgrall 621d03bf3a Add none as option for fail-on-severity 2023-03-18 05:21:58 +01:00
33 changed files with 31784 additions and 30228 deletions
+1 -4
View File
@@ -2,8 +2,5 @@
"name": "Dependency Review Action",
"image": "mcr.microsoft.com/devcontainers/typescript-node:18",
"postCreateCommand": "npm install",
"remoteUser": "node",
"features": {
"ghcr.io/devcontainers/features/ruby:1": {}
}
"remoteUser": "node"
}
+4 -4
View File
@@ -23,10 +23,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set Node.js 18.x
uses: actions/setup-node@v3
- name: Set Node.js 20.x
uses: actions/setup-node@v4
with:
node-version: 18.x
node-version: 20.x
cache: npm
- name: Install dependencies
@@ -47,7 +47,7 @@ jobs:
id: diff
# If index.js was different than expected, upload the expected version as an artifact
- uses: actions/upload-artifact@v3
- uses: actions/upload-artifact@v4
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
+4 -4
View File
@@ -15,9 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 18
node-version: 20
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
@@ -28,9 +28,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 18
node-version: 20
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
+48
View File
@@ -0,0 +1,48 @@
name: "CodeQL"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '21 0 * * 4'
jobs:
analyze:
name: Analyze
runs-on: 'ubuntu-latest'
timeout-minutes: 360
permissions:
# required for all workflows
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
config: |
paths-ignore:
- dist/index.js
- dist/sourcemap-register.js
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
+28
View File
@@ -0,0 +1,28 @@
name: Close stale PRs and Issues
permissions:
issues: write
pull-requests: write
on:
schedule:
- cron: "00 0 * * *" # runs at 00:00 daily
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9.0.0
name: Clean up stale PRs and Issues
with:
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details."
stale-pr-label: "Stale"
stale-issue-label: "Stale"
exempt-pr-labels: "Keep" # a "Keep" label will keep the PR from being closed as stale
exempt-issue-labels: "Keep" # a "Keep" label will keep the issue from being closed as stale
days-before-pr-stale: 180 # when the PR is considered stale
days-before-pr-close: 15 # when the PR is closed by the bot
days-before-issue-stale: 180 # when the issue is considered stale
days-before-issue-close: 15 # when the issue is closed by the bot
exempt-assignees: 'advanced-security-dependency-graph'
ascending: true
+9 -3
View File
@@ -77,9 +77,11 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
- Write tests.
- Add unit tests for new features.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
- Add examples of the usage to [examples.md](examples.md)
- Link to a sample PR in a custom repository running your version of the Action.
## Cutting a new release
@@ -112,10 +114,14 @@ minor/patch updates.
To do this just checkout `main`, force-create a new annotated tag, and push it:
```
git tag -fa v3 -m "Updating v3 to 3.0.1"
git push origin v3 --force
git tag -fa v4 -m "Updating v4 to 4.0.1"
git push origin v4 --force
```
## Stalebot
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
## Resources
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+59 -33
View File
@@ -1,21 +1,21 @@
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
You can see the results on the job logs:
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
or on the job summary:
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
## Installation
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
1. Add a new YAML workflow to your `.github/workflows` folder:
@@ -31,18 +31,18 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
```
### GitHub Enterprise Server
This action is available in Enterprise Server starting with version 3.6. Make sure
Make sure
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
You can use the same workflow as above, replacing the `runs-on` value
@@ -57,35 +57,38 @@ jobs:
runs-on: self-hosted
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
```
## Configuration options
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
\*not supported for use with GitHub Enterprise Server
†will be supported with GitHub Enterprise Server 3.8
+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
### Inline Configuration
@@ -103,9 +106,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
@@ -128,7 +131,7 @@ Start by specifying that you will be using an external configuration file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
uses: actions/dependency-review-action@v4
with:
config-file: './.github/dependency-review-config.yml'
```
@@ -149,12 +152,35 @@ For more examples of how to use this action and its configuration options, see t
### Considerations
- Checking for licenses is not supported on Enterprise Server as the API does not return license information.
- The action will only accept one of the two `license` parameters; an error will be raised if you provide both.
- The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
## Blocking pull requests
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
## Outputs
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
- `denied-changes` holds information about denied dependency changes in a JSON format.
> [!NOTE]
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
> [!IMPORTANT]
> If you use these outputs in a run-step, you must store the ouput data in an envrioment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
>
> ```yaml
> env:
> VULNERABLE_CHANGES: ${{ steps.review.outputs.vulnerable-changes }}
> run: |
> echo "$VULNERABLE_CHANGES" | jq
> ```
>
> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`. See [examples](docs/examples.md) for more.
## Getting help
+5
View File
@@ -26,6 +26,11 @@ test('it reads custom configs', async () => {
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('it defaults to false for warn-only', async () => {
const config = await readConfig()
expect(config.warn_only).toEqual(false)
})
test('it defaults to empty allow/deny lists ', async () => {
const config = await readConfig()
+1 -1
View File
@@ -55,7 +55,7 @@ const pipChange: Change = {
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
+1 -2
View File
@@ -24,7 +24,6 @@ test('it properly catches RequestError type', async () => {
headRef: 'refs/heads/master'
})
} catch (error) {
const err = error as RequestError
expect(err.status).toBe(401)
expect(error).toBeInstanceOf(RequestError)
}
})
+118 -24
View File
@@ -19,7 +19,7 @@ const npmChange: Change = {
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_ghsa_id: 'vulnerable-ghsa-id',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
@@ -39,13 +39,13 @@ const rubyChange: Change = {
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_ghsa_id: 'moderate-ghsa-id',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_ghsa_id: 'low-ghsa-id',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
@@ -65,6 +65,64 @@ const noVulnNpmChange: Change = {
vulnerabilities: []
}
const lodashChange: Change = {
change_type: 'added',
manifest: 'package.json',
ecosystem: 'npm',
name: 'lodash',
version: '4.17.0',
package_url: 'pkg:npm/lodash@4.17.0',
license: 'MIT',
source_repository_url: 'https://github.com/lodash/lodash',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'GHSA-jf85-cpcp-j695',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-jf85-cpcp-j695'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-4xc9-xhrj-v574',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-4xc9-xhrj-v574'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-35jh-r3h4-6jhm',
advisory_summary: 'Command Injection in lodash',
advisory_url: 'https://github.com/advisories/GHSA-35jh-r3h4-6jhm'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-p6mc-m468-83gw',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-p6mc-m468-83gw'
},
{
severity: 'moderate',
advisory_ghsa_id: 'GHSA-x5rq-j2xg-h7qm',
advisory_summary:
'Regular Expression Denial of Service (ReDoS) in lodash',
advisory_url: 'https://github.com/advisories/GHSA-x5rq-j2xg-h7qm'
},
{
severity: 'moderate',
advisory_ghsa_id: 'GHSA-29mw-wpgm-hmr9',
advisory_summary:
'Regular Expression Denial of Service (ReDoS) in lodash',
advisory_url: 'https://github.com/advisories/GHSA-29mw-wpgm-hmr9'
},
{
severity: 'low',
advisory_ghsa_id: 'GHSA-fvqr-27wr-82fm',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-fvqr-27wr-82fm'
}
]
}
test('it properly filters changes by severity', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesBySeverity('high', changes)
@@ -99,25 +157,61 @@ test('it properly handles undefined advisory IDs', async () => {
test('it properly filters changes with allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
result = filterAllowedAdvisories(['first-random_string'], changes)
expect(result).toEqual([rubyChange, noVulnNpmChange])
result = filterAllowedAdvisories(
['second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([npmChange, noVulnNpmChange])
result = filterAllowedAdvisories(
['first-random_string', 'second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([noVulnNpmChange])
// if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change
result = filterAllowedAdvisories(['second-random_string'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
const fakeGHSAChanges = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(fakeGHSAChanges).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
test('it properly filters only allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
const oldVulns = [
...npmChange.vulnerabilities,
...rubyChange.vulnerabilities,
...noVulnNpmChange.vulnerabilities
]
const vulnerable = filterAllowedAdvisories(['vulnerable-ghsa-id'], changes)
const newVulns = vulnerable.map(change => change.vulnerabilities).flat()
expect(newVulns.length).toEqual(oldVulns.length - 1)
expect(newVulns).not.toContainEqual(
expect.objectContaining({advisory_ghsa_id: 'vulnerable-ghsa-id'})
)
})
test('does not drop dependencies when filtering by GHSA', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
const result = filterAllowedAdvisories(
['moderate-ghsa-id', 'low-ghsa-id', 'GHSA-jf85-cpcp-j695'],
changes
)
expect(result.map(change => change.name)).toEqual(
changes.map(change => change.name)
)
})
test('it properly filters multiple GHSAs', async () => {
const allowedGHSAs = ['vulnerable-ghsa-id', 'moderate-ghsa-id', 'low-ghsa-id']
const changes = [npmChange, rubyChange, noVulnNpmChange]
const oldVulns = changes.map(change => change.vulnerabilities).flat()
const result = filterAllowedAdvisories(allowedGHSAs, changes)
const newVulns = result.map(change => change.vulnerabilities).flat()
expect(newVulns.length).toEqual(oldVulns.length - 3)
})
test('it filters out GHSA dependencies', async () => {
const lodash = filterAllowedAdvisories(
['GHSA-jf85-cpcp-j695'],
[lodashChange]
)[0]
// the filter should have removed a single GHSA from the list
const expected = lodashChange.vulnerabilities.filter(
vuln => vuln.advisory_ghsa_id !== 'GHSA-jf85-cpcp-j695'
)
expect(expected.length).toEqual(lodashChange.vulnerabilities.length - 1)
expect(lodash.vulnerabilities).toEqual(expected)
})
+7 -4
View File
@@ -55,7 +55,7 @@ const pipChange: Change = {
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
@@ -183,7 +183,7 @@ test('it does not filter out changes that are on the exclusions list', async ()
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
@@ -199,7 +199,7 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
@@ -213,7 +213,10 @@ test('it does filters out changes if they are not on the exclusions list', async
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/notmypackage-1@1.1.1', 'pkg:npm/alsonot@1.0.2']
licenseExclusions: [
'pkg:pypi/notmypackage-1@1.1.1',
'pkg:npm/alsonot@1.0.2'
]
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
+40
View File
@@ -0,0 +1,40 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {getScorecardLevels, getProjectUrl} from '../src/scorecard'
const npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'type-is',
version: '1.6.18',
package_url: 'pkg:npm/type-is@1.6.18',
license: 'MIT',
source_repository_url: 'github.com/jshttp/type-is',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
test('Get scorecard from API', async () => {
const changes: Changes = [npmChange]
const scorecard = await getScorecardLevels(changes)
expect(scorecard).not.toBeNull()
expect(scorecard.dependencies).toHaveLength(1)
expect(scorecard.dependencies[0].scorecard?.score).toBeGreaterThan(0)
})
test('Get project URL from deps.dev API', async () => {
const result = await getProjectUrl(
npmChange.ecosystem,
npmChange.name,
npmChange.version
)
expect(result).not.toBeNull()
})
+37 -2
View File
@@ -1,5 +1,5 @@
import {expect, jest, test} from '@jest/globals'
import {Changes, ConfigurationOptions} from '../src/schemas'
import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import * as summary from '../src/summary'
import * as core from '@actions/core'
import {createTestChange} from './fixtures/create-test-change'
@@ -16,6 +16,9 @@ const emptyInvalidLicenseChanges = {
unresolved: [],
unlicensed: []
}
const emptyScorecard: Scorecard = {
dependencies: []
}
const defaultConfig: ConfigurationOptions = {
vulnerability_check: true,
license_check: true,
@@ -28,7 +31,10 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
retry_on_snapshot_warnings_timeout: 120,
warn_only: false,
warn_on_openssf_scorecard_level: 3,
show_openssf_scorecard: false
}
const changesWithEmptyManifests: Changes = [
@@ -70,11 +76,32 @@ const changesWithEmptyManifests: Changes = [
}
]
const scorecard: Scorecard = {
dependencies: [
{
change: {
change_type: 'added',
manifest: '',
ecosystem: 'unknown',
name: 'castore',
version: '0.1.17',
package_url: 'pkg:hex/castore@0.1.17',
license: null,
source_repository_url: null,
scope: 'runtime',
vulnerabilities: []
},
scorecard: null
}
]
}
test('prints headline as h1', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
defaultConfig
)
const text = core.summary.stringify()
@@ -87,6 +114,7 @@ test('only includes "No vulnerabilities or license issues found"-message if both
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
defaultConfig
)
const text = core.summary.stringify()
@@ -100,6 +128,7 @@ test('only includes "No vulnerabilities found"-message if "license_check" is set
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
config
)
const text = core.summary.stringify()
@@ -113,6 +142,7 @@ test('only includes "No license issues found"-message if "vulnerability_check" i
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
config
)
const text = core.summary.stringify()
@@ -125,6 +155,7 @@ test('groups dependencies with empty manifest paths together', () => {
changesWithEmptyManifests,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
defaultConfig
)
summary.addScannedDependencies(changesWithEmptyManifests)
@@ -142,6 +173,7 @@ test('does not include status section if nothing was found', () => {
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
defaultConfig
)
const text = core.summary.stringify()
@@ -164,6 +196,7 @@ test('includes count and status icons for all findings', () => {
vulnerabilities,
licenseIssues,
emptyChanges,
emptyScorecard,
defaultConfig
)
@@ -183,6 +216,7 @@ test('uses checkmarks for license issues if only vulnerabilities were found', ()
vulnerabilities,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
defaultConfig
)
@@ -206,6 +240,7 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
emptyChanges,
licenseIssues,
emptyChanges,
emptyScorecard,
defaultConfig
)
+2 -1
View File
@@ -18,7 +18,8 @@ export function clearInputs(): void {
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
'COMMENT-SUMMARY-IN-PR',
'WARN-ONLY'
]
// eslint-disable-next-line github/array-foreach
+28 -4
View File
@@ -30,7 +30,7 @@ inputs:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-dependencies-licenses:
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
required: false
allow-ghsas:
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
@@ -48,10 +48,10 @@ inputs:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
required: false
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
required: false
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings
@@ -61,6 +61,30 @@ inputs:
description: Number of seconds to wait before stopping snapshot retries.
required: false
default: 120
warn-only:
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
required: false
default: false
show-openssf-scorecard:
description: Show a summary of the OpenSSF Scorecard scores.
required: false
default: true
warn-on-openssf-scorecard-level:
description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
required: false
default: 3
outputs:
comment-content:
description: Prepared dependency report comment
dependency-changes:
description: All dependency changes (JSON)
vulnerable-changes:
description: Vulnerable dependency changes (JSON)
invalid-license-changes:
description: Invalid license dependency changes (JSON)
denied-changes:
description: Denied dependency changes (JSON)
runs:
using: 'node16'
using: 'node20'
main: 'dist/index.js'
Generated Vendored
+28721 -26863
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+291 -131
View File
@@ -47,6 +47,28 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@fastify/busboy
MIT
Copyright Brian White. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
@octokit/app
MIT
The MIT License
@@ -322,6 +344,17 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-paginate-graphql
MIT
MIT License Copyright (c) 2019 Octokit contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-paginate-rest
MIT
MIT License Copyright (c) 2019 Octokit contributors
@@ -481,16 +514,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@vercel/ncc
MIT
Copyright 2018 ZEIT, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
aggregate-error
MIT
MIT License
@@ -1046,30 +1069,6 @@ Apache License
limitations under the License.
fromentries
MIT
The MIT License (MIT)
Copyright (c) Feross Aboukhadijeh
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
indent-string
MIT
MIT License
@@ -1083,31 +1082,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
is-plain-object
MIT
The MIT License (MIT)
Copyright (c) 2014-2017, Jon Schlinkert.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
jsonwebtoken
MIT
The MIT License (MIT)
@@ -1175,9 +1149,240 @@ FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TOR
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash
lodash.includes
MIT
Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isboolean
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.isinteger
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isnumber
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.isplainobject
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isstring
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.once
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
@@ -1270,32 +1475,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
node-fetch
MIT
The MIT License (MIT)
Copyright (c) 2016 David Frank
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
octokit
MIT
The MIT License
@@ -1489,9 +1668,6 @@ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
tr46
MIT
tunnel
MIT
The MIT License (MIT)
@@ -1517,6 +1693,31 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
undici
MIT
MIT License
Copyright (c) Matteo Collina and Undici contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
universal-github-app-jwt
MIT
The MIT License
@@ -1566,47 +1767,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
webidl-conversions
BSD-2-Clause
# The BSD 2-Clause License
Copyright (c) 2014, Domenic Denicola
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
whatwg-url
MIT
The MIT License (MIT)
Copyright (c) 20152016 Sebastian Mayr
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
wrappy
ISC
The ISC License
+67 -24
View File
@@ -1,4 +1,4 @@
# Examples on how to use the Dependancy Review Action
# Examples on how to use the Dependency Review Action
## Basic Usage
@@ -18,9 +18,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
```
## Using an inline configuration
@@ -39,9 +39,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
@@ -62,7 +62,7 @@ allow_licenses:
- 'BSD-2-Clause'
```
The Dependancy Review Action workflow file will then look like this:
The Dependency Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
@@ -76,9 +76,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: './.github/dependency-review-config.yml'
```
@@ -103,9 +103,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
```
@@ -130,9 +130,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo-private/dependency-review-config.yml@main'
external-repo-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
@@ -155,15 +155,58 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always
```
## Getting the results of the action in a later step
- `comment-content` contains the output of the results comment for the entire run.
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
id: review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
- name: 'Report'
# make sure this step runs even if the previous failed
if: ${{ failure() && steps.review.conclusion == 'failure' }}
shell: bash
env: # store comment HTML data in an environment variable
COMMENT: ${{ steps.review.outputs.comment-content }}
run: | # do something with the comment:
echo "$COMMENT"
- name: 'List vulnerable dependencies'
# make sure this step runs even if the previous failed
if: ${{ failure() && steps.review.conclusion == 'failure' }}
shell: bash
env: # store JSON data in an environment variable
VULNERABLE_CHANGES: ${{ steps.review.outputs.vulnerable-changes }}
run: | # do something with the JSON:
echo "$VULNERABLE_CHANGES" | jq '.[].package_url'
```
## Exclude dependencies from the license check
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.
@@ -183,14 +226,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests'
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
```
If we were to use configuration file, the configuration would look like this:
@@ -202,7 +245,7 @@ allow-licenses:
- 'BSD-2-Clause'
allow-dependencies-licenses:
- 'pkg:npm/loadash'
- 'pkg:pip/requests'
- 'pkg:pypi/requests'
```
## Only check for vulnerabilities
@@ -222,9 +265,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
comment-summary-in-pr: always
@@ -251,9 +294,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
@@ -285,9 +328,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 60
+1876 -3037
View File
File diff suppressed because it is too large Load Diff
+25 -25
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.1.0",
"version": "4.2.3",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,37 +25,37 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^5.0.4",
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
"@octokit/plugin-retry": "^6.0.1",
"@octokit/request-error": "^5.0.1",
"@types/jest": "^29.5.12",
"ansi-styles": "^6.2.1",
"got": "^13.0.0",
"octokit": "^2.1.0",
"packageurl-js": "^1.0.2",
"got": "^14.2.0",
"jest": "^29.7.0",
"octokit": "^3.1.2",
"packageurl-js": "^1.2.0",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.3.2",
"zod": "^3.22.2"
"ts-jest": "^29.1.2",
"yaml": "^2.3.4",
"zod": "^3.22.3"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.48",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^6.7.2",
"@typescript-eslint/parser": "^6.6.0",
"@vercel/ncc": "^0.36.1",
"@types/node": "^20",
"@types/spdx-expression-parse": "^3.0.4",
"@types/spdx-satisfies": "^0.1.1",
"@typescript-eslint/eslint-plugin": "^6.21.0",
"@typescript-eslint/parser": "^6.21.0",
"@vercel/ncc": "^0.38.0",
"esbuild-register": "^3.5.0",
"eslint": "^8.48.0",
"eslint-plugin-github": "^4.8.0",
"eslint-plugin-jest": "^27.2.2",
"eslint-plugin-prettier": "^5.0.0",
"jest": "^27.5.1",
"eslint": "^8.56.0",
"eslint-plugin-github": "^4.10.1",
"eslint-plugin-jest": "^27.9.0",
"eslint-plugin-prettier": "^5.1.3",
"js-yaml": "^4.1.0",
"nodemon": "^3.0.1",
"prettier": "3.0.2",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
"nodemon": "^3.1.0",
"prettier": "3.2.5",
"typescript": "^5.3.3"
}
}
+35 -6
View File
@@ -6,7 +6,7 @@
* npx ts-node scripts/create_summary.ts
*/
import {Change, Changes, ConfigurationOptions} from '../src/schemas'
import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import {createTestChange} from '../__tests__/fixtures/create-test-change'
import {InvalidLicenseChanges} from '../src/licenses'
import * as fs from 'fs'
@@ -26,13 +26,36 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [],
allow_dependencies_licenses: [
'pkg:npm/express@4.17.1',
'pkg:pip/requests',
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
'pkg:pypi/requests',
'pkg:pypi/certifi',
'pkg:pypi/pycrypto@2.6.1'
],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
retry_on_snapshot_warnings_timeout: 120,
warn_only: false,
warn_on_openssf_scorecard_level: 3,
show_openssf_scorecard: true
}
const scorecard: Scorecard = {
dependencies: [
{
change: {
change_type: 'added',
manifest: '',
ecosystem: 'unknown',
name: 'castore',
version: '0.1.17',
package_url: 'pkg:hex/castore@0.1.17',
license: null,
source_repository_url: null,
scope: 'runtime',
vulnerabilities: []
},
scorecard: null
}
]
}
const tmpDir = path.resolve(__dirname, '../tmp')
@@ -100,7 +123,13 @@ async function createSummary(
config: ConfigurationOptions,
fileName: string
): Promise<void> {
summary.addSummaryToSummary(vulnerabilities, licenseIssues, denied, config)
summary.addSummaryToSummary(
vulnerabilities,
licenseIssues,
denied,
scorecard,
config
)
summary.addChangeVulnerabilitiesToSummary(
vulnerabilities,
config.fail_on_severity
+22 -4
View File
@@ -3,6 +3,7 @@ import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {RequestError} from '@octokit/request-error'
import {ConfigurationOptions} from './schemas'
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const octo = new retryingOctokit(
@@ -12,7 +13,24 @@ const octo = new retryingOctokit(
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
export async function commentPr(summary: typeof core.summary): Promise<void> {
export async function commentPr(
summary: typeof core.summary,
config: ConfigurationOptions
): Promise<void> {
const commentContent = summary.stringify()
core.setOutput('comment-content', commentContent)
if (
!(
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
)
) {
return
}
if (!github.context.payload.pull_request) {
core.warning(
'Not in the context of a pull request. Skipping comment creation.'
@@ -20,7 +38,7 @@ export async function commentPr(summary: typeof core.summary): Promise<void> {
return
}
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`
try {
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)
@@ -74,8 +92,8 @@ async function findCommentByMarker(
)
for await (const {data: comments} of commentsIterator) {
const existingComment = comments.find(
comment => comment.body?.includes(commentBodyIncludes)
const existingComment = comments.find(comment =>
comment.body?.includes(commentBodyIncludes)
)
if (existingComment) return existingComment.id
}
+9 -1
View File
@@ -47,6 +47,11 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const retry_on_snapshot_warnings_timeout = getOptionalNumber(
'retry-on-snapshot-warnings-timeout'
)
const warn_only = getOptionalBoolean('warn-only')
const show_openssf_scorecard = getOptionalBoolean('show-openssf-scorecard')
const warn_on_openssf_scorecard_level = getOptionalNumber(
'warn-on-openssf-scorecard-level'
)
validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
@@ -67,7 +72,10 @@ function readInlineConfig(): ConfigurationOptionsPartial {
head_ref,
comment_summary_in_pr,
retry_on_snapshot_warnings,
retry_on_snapshot_warnings_timeout
retry_on_snapshot_warnings_timeout,
warn_only,
show_openssf_scorecard,
warn_on_openssf_scorecard_level
}
return Object.fromEntries(
+2 -1
View File
@@ -31,7 +31,8 @@ export async function compare({
url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
owner,
repo,
basehead: `${baseRef}...${headRef}`
basehead: `${baseRef}...${headRef}`,
per_page: 5
},
response => {
if (
+23 -13
View File
@@ -1,5 +1,13 @@
import {Changes, Severity, SEVERITIES, Scope} from './schemas'
/**
* Filters changes by a severity level. Only vulnerable
* dependencies will be returned.
*
* @param severity - The severity level to filter by.
* @param changes - The array of changes to filter.
* @returns The filtered array of changes that match the specified severity level and have vulnerabilities.
*/
export function filterChangesBySeverity(
severity: Severity,
changes: Changes
@@ -31,7 +39,14 @@ export function filterChangesBySeverity(
filteredChanges = filteredChanges.filter(
change => change.vulnerabilities.length > 0
)
return filteredChanges
// only report vulnerability additions
return filteredChanges.filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
)
}
export function filterChangesByScopes(
@@ -67,25 +82,20 @@ export function filterAllowedAdvisories(
return changes
}
const filteredChanges = changes.filter(change => {
const filteredChanges = changes.map(change => {
const noAdvisories =
change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0
if (noAdvisories) {
return true
return change
}
const newChange = {...change}
newChange.vulnerabilities = change.vulnerabilities.filter(
vuln => !ghsas.includes(vuln.advisory_ghsa_id)
)
let allAllowedAdvisories = true
// if there's at least one advisory that is not allowlisted, we will keep the change
for (const vulnerability of change.vulnerabilities) {
if (!ghsas.includes(vulnerability.advisory_ghsa_id)) {
allAllowedAdvisories = false
}
if (!allAllowedAdvisories) {
return true
}
}
return newChange
})
return filteredChanges
+5 -2
View File
@@ -21,16 +21,19 @@ export function getRefs(
if (!base_ref && !head_ref) {
throw new Error(
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
'config options, or by running a `pull_request`/`pull_request_target` workflow.'
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
'`pull_request`/`pull_request_target` workflow.'
)
} else if (!base_ref) {
throw new Error(
'A base ref must be provided, either via the `base_ref` config option, ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
'`base-ref` workflow action option, or by running a ' +
'`pull_request`/`pull_request_target` workflow.'
)
} else if (!head_ref) {
throw new Error(
'A head ref must be provided, either via the `head_ref` config option, ' +
'`head-ref` workflow action option, or by running a ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
)
}
+4 -2
View File
@@ -32,7 +32,7 @@ export async function getInvalidLicenseChanges(
const {allow, deny} = licenses
const licenseExclusions = licenses.licenseExclusions?.map(
(pkgUrl: string) => {
return PackageURL.fromString(pkgUrl)
return PackageURL.fromString(encodeURI(pkgUrl))
}
)
@@ -45,7 +45,9 @@ export async function getInvalidLicenseChanges(
return true
}
const changeAsPackageURL = PackageURL.fromString(change.package_url)
const changeAsPackageURL = PackageURL.fromString(
encodeURI(change.package_url)
)
// We want to find if the licenseExclussion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
+97 -23
View File
@@ -3,7 +3,13 @@ import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, Severity, Changes, ConfigurationOptions} from './schemas'
import {
Change,
Severity,
Changes,
ConfigurationOptions,
Scorecard
} from './schemas'
import {readConfig} from '../src/config'
import {
filterChangesBySeverity,
@@ -11,6 +17,7 @@ import {
filterAllowedAdvisories
} from '../src/filter'
import {getInvalidLicenseChanges} from './licenses'
import {getScorecardLevels} from './scorecard'
import * as summary from './summary'
import {getRefs} from './git-refs'
@@ -80,21 +87,24 @@ async function run(): Promise<void> {
return
}
const minSeverity = config.fail_on_severity
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
const filteredChanges = filterAllowedAdvisories(
config.allow_ghsas,
scopedChanges
)
const failOnSeverityParams = config.fail_on_severity
const warnOnly = config.warn_only
let minSeverity: Severity = 'low'
// If failOnSeverityParams is not set or warnOnly is true, the minSeverity is low, to allow all vulnerabilities to be reported as warnings
if (failOnSeverityParams && !warnOnly) {
minSeverity = failOnSeverityParams
}
const vulnerableChanges = filterChangesBySeverity(
minSeverity,
filteredChanges
).filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
)
const invalidLicenseChanges = await getInvalidLicenseChanges(
@@ -115,10 +125,13 @@ async function run(): Promise<void> {
config.deny_groups
)
const scorecard = await getScorecardLevels(filteredChanges)
summary.addSummaryToSummary(
vulnerableChanges,
invalidLicenseChanges,
deniedChanges,
scorecard,
config
)
@@ -127,27 +140,33 @@ async function run(): Promise<void> {
}
if (config.vulnerability_check) {
core.setOutput('vulnerable-changes', JSON.stringify(vulnerableChanges))
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
}
if (config.license_check) {
core.setOutput(
'invalid-license-changes',
JSON.stringify(invalidLicenseChanges)
)
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges)
printLicensesBlock(invalidLicenseChanges, warnOnly)
}
if (config.deny_packages || config.deny_groups) {
core.setOutput('denied-changes', JSON.stringify(deniedChanges))
summary.addDeniedToSummary(deniedChanges)
printDeniedDependencies(deniedChanges, config)
}
if (config.show_openssf_scorecard) {
summary.addScorecardToSummary(scorecard, config)
printScorecardBlock(scorecard, config)
createScorecardWarnings(scorecard, config)
}
core.setOutput('dependency-changes', JSON.stringify(changes))
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
if (
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
) {
await commentPr(core.summary)
}
await commentPr(core.summary, config)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
@@ -171,19 +190,25 @@ async function run(): Promise<void> {
function printVulnerabilitiesBlock(
addedChanges: Changes,
minSeverity: Severity
minSeverity: Severity,
warnOnly: boolean
): void {
let failed = false
let vulFound = false
core.group('Vulnerabilities', async () => {
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
failed = true
vulFound = true
}
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
if (vulFound) {
const msg = 'Dependency review detected vulnerable packages.'
if (warnOnly) {
core.warning(msg)
} else {
core.setFailed(msg)
}
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
@@ -206,13 +231,19 @@ function printChangeVulnerabilities(change: Change): void {
}
function printLicensesBlock(
invalidLicenseChanges: Record<string, Changes>
invalidLicenseChanges: Record<string, Changes>,
warnOnly: boolean
): void {
core.group('Licenses', async () => {
if (invalidLicenseChanges.forbidden.length > 0) {
core.info('\nThe following dependencies have incompatible licenses:')
printLicensesError(invalidLicenseChanges.forbidden)
core.setFailed('Dependency review detected incompatible licenses.')
const msg = 'Dependency review detected incompatible licenses.'
if (warnOnly) {
core.warning(msg)
} else {
core.setFailed(msg)
}
}
if (invalidLicenseChanges.unresolved.length > 0) {
core.warning(
@@ -248,6 +279,29 @@ function printNullLicenses(changes: Changes): void {
}
}
function printScorecardBlock(
scorecard: Scorecard,
config: ConfigurationOptions
): void {
core.group('Scorecard', async () => {
if (scorecard) {
for (const dependency of scorecard.dependencies) {
if (
dependency.scorecard?.score &&
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
) {
core.info(
`${styles.color.red.open}${dependency.change.ecosystem}/${dependency.change.name}: OpenSSF Scorecard Score: ${dependency?.scorecard?.score}${styles.red.close}`
)
}
core.info(
`${dependency.change.ecosystem}/${dependency.change.name}: OpenSSF Scorecard Score: ${dependency?.scorecard?.score}`
)
}
}
})
}
function renderSeverity(
severity: 'critical' | 'high' | 'moderate' | 'low'
): string {
@@ -316,4 +370,24 @@ function printDeniedDependencies(
})
}
async function createScorecardWarnings(
scorecards: Scorecard,
config: ConfigurationOptions
): Promise<void> {
// Iterate through the list of scorecards, and if the score is less than the threshold, send a warning
for (const dependency of scorecards.dependencies) {
if (
dependency.scorecard?.score &&
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
) {
core.warning(
`${dependency.change.ecosystem}/${dependency.change.name} has an OpenSSF Scorecard of ${dependency.scorecard?.score}, which is less than this repository's threshold of ${config.warn_on_openssf_scorecard_level}.`,
{
title: 'OpenSSF Scorecard Warning'
}
)
}
}
}
run()
+46 -1
View File
@@ -51,6 +51,8 @@ export const ConfigurationOptionsSchema = z
head_ref: z.string().optional(),
retry_on_snapshot_warnings: z.boolean().default(false),
retry_on_snapshot_warnings_timeout: z.number().default(120),
show_openssf_scorecard: z.boolean().optional().default(true),
warn_on_openssf_scorecard_level: z.number().default(3),
comment_summary_in_pr: z
.union([
z.preprocess(
@@ -59,7 +61,8 @@ export const ConfigurationOptionsSchema = z
),
z.enum(['always', 'never', 'on-failure'])
])
.default('never')
.default('never'),
warn_only: z.boolean().default(false)
})
.transform(config => {
if (config.comment_summary_in_pr === true) {
@@ -99,9 +102,51 @@ export const ComparisonResponseSchema = z.object({
snapshot_warnings: z.string()
})
export const ScorecardApiSchema = z.object({
date: z.string(),
repo: z
.object({
name: z.string(),
commit: z.string()
})
.nullish(),
scorecard: z
.object({
version: z.string(),
commit: z.string()
})
.nullish(),
checks: z
.array(
z.object({
name: z.string(),
documentation: z.object({
shortDescription: z.string(),
url: z.string()
}),
score: z.string(),
reason: z.string(),
details: z.array(z.string())
})
)
.nullish(),
score: z.number().nullish()
})
export const ScorecardSchema = z.object({
dependencies: z.array(
z.object({
change: ChangeSchema,
scorecard: ScorecardApiSchema.nullish()
})
)
})
export type Change = z.infer<typeof ChangeSchema>
export type Changes = z.infer<typeof ChangesSchema>
export type ComparisonResponse = z.infer<typeof ComparisonResponseSchema>
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
export type Severity = z.infer<typeof SeveritySchema>
export type Scope = (typeof SCOPES)[number]
export type Scorecard = z.infer<typeof ScorecardSchema>
export type ScorecardApi = z.infer<typeof ScorecardApiSchema>
+73
View File
@@ -0,0 +1,73 @@
import {Change, Scorecard, ScorecardApi} from './schemas'
import * as core from '@actions/core'
export async function getScorecardLevels(
changes: Change[]
): Promise<Scorecard> {
const data: Scorecard = {dependencies: []} as Scorecard
for (const change of changes) {
const ecosystem = change.ecosystem
const packageName = change.name
const version = change.version
//Get the project repository
let repositoryUrl = change.source_repository_url
//If the repository_url includes the protocol, remove it
if (repositoryUrl?.startsWith('https://')) {
repositoryUrl = repositoryUrl.replace('https://', '')
}
// If GitHub API doesn't have the repository URL, query deps.dev for it.
if (repositoryUrl) {
// Call the deps.dev API to get the repository URL from there
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
}
// Get the scorecard API response from the scorecards API
let scorecardApi: ScorecardApi | null = null
if (repositoryUrl) {
try {
scorecardApi = await getScorecard(repositoryUrl)
} catch (error: unknown) {
core.debug(`Error querying for scorecard: ${(error as Error).message}`)
}
}
data.dependencies.push({
change,
scorecard: scorecardApi
})
}
return data
}
async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
const apiRoot = 'https://api.securityscorecards.dev/'
let scorecardResponse: ScorecardApi = {} as ScorecardApi
const url = `${apiRoot}/projects/${repositoryUrl}`
const response = await fetch(url)
if (response.ok) {
scorecardResponse = await response.json()
} else {
core.debug(`Couldn't get scorecard data for ${repositoryUrl}`)
}
return scorecardResponse
}
export async function getProjectUrl(
ecosystem: string,
packageName: string,
version: string
): Promise<string> {
core.debug(`Getting deps.dev data for ${packageName} ${version}`)
const depsDevAPIRoot = 'https://api.deps.dev'
const url = `${depsDevAPIRoot}/v3alpha/systems/${ecosystem}/packages/${packageName}/versions/${version}`
const response = await fetch(url)
if (response.ok) {
const data = await response.json()
if (data.relatedProjects.length > 0) {
return data.relatedProjects[0].projectKey.id
}
}
return ''
}
+95 -8
View File
@@ -1,5 +1,5 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Changes, Change} from './schemas'
import {ConfigurationOptions, Changes, Change, Scorecard} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
@@ -14,22 +14,30 @@ export function addSummaryToSummary(
vulnerableChanges: Changes,
invalidLicenseChanges: InvalidLicenseChanges,
deniedChanges: Changes,
scorecard: Scorecard,
config: ConfigurationOptions
): void {
const scorecardWarnings = countScorecardWarnings(scorecard, config)
const licenseIssues = countLicenseIssues(invalidLicenseChanges)
core.summary.addHeading('Dependency Review', 1)
if (
vulnerableChanges.length === 0 &&
countLicenseIssues(invalidLicenseChanges) === 0 &&
deniedChanges.length === 0
licenseIssues === 0 &&
deniedChanges.length === 0 &&
scorecardWarnings === 0
) {
if (!config.license_check) {
core.summary.addRaw(`${icons.check} No vulnerabilities found.`)
} else if (!config.vulnerability_check) {
core.summary.addRaw(`${icons.check} No license issues found.`)
const issueTypes = [
config.vulnerability_check ? 'vulnerabilities' : '',
config.license_check ? 'license issues' : '',
config.show_openssf_scorecard ? 'OpenSSF Scorecard issues' : ''
]
if (issueTypes.filter(Boolean).length === 0) {
core.summary.addRaw(`${icons.check} No issues found.`)
} else {
core.summary.addRaw(
`${icons.check} No vulnerabilities or license issues found.`
`${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`
)
}
@@ -65,11 +73,31 @@ export function addSummaryToSummary(
deniedChanges.length
} package(s) denied.`
]
: []),
...(config.show_openssf_scorecard && scorecardWarnings > 0
? [
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
]
: [])
])
.addRaw('See the Details below.')
}
function countScorecardWarnings(
scorecard: Scorecard,
config: ConfigurationOptions
): number {
return scorecard.dependencies.reduce(
(total, dependency) =>
total +
(dependency.scorecard?.score &&
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
? 1
: 0),
0
)
}
export function addChangeVulnerabilitiesToSummary(
vulnerableChanges: Changes,
severity: string
@@ -249,6 +277,65 @@ function snapshotWarningRecommendation(
return 'Re-running this action after a short time may resolve the issue.'
}
export function addScorecardToSummary(
scorecard: Scorecard,
config: ConfigurationOptions
): void {
core.summary.addHeading('OpenSSF Scorecard', 2)
if (scorecard.dependencies.length > 10) {
core.summary.addRaw(`<details><summary>Scorecard details</summary>`, true)
}
core.summary.addRaw(
`<table><tr><th>Package</th><th>Version</th><th>Score</th><th>Details</th></tr>`,
true
)
for (const dependency of scorecard.dependencies) {
core.debug('Adding scorecard to summary')
core.debug(`Overall score ${dependency.scorecard?.score}`)
// Set the icon based on the overall score value
let overallIcon = ''
if (dependency.scorecard?.score) {
overallIcon =
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
? ':warning:'
: ':green_circle:'
}
//Add a row for the dependency
core.summary.addRaw(
`<tr><td>${dependency.change.source_repository_url ? `<a href="https://${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
<td>${overallIcon} ${dependency.scorecard?.score === undefined || dependency.scorecard?.score === null ? 'Unknown' : dependency.scorecard?.score}</td>`,
false
)
//Add details table in the last column
if (dependency.scorecard?.checks !== undefined) {
let detailsTable =
'<table><tr><th>Check</th><th>Score</th><th>Reason</th></tr>'
for (const check of dependency.scorecard?.checks || []) {
const icon =
parseFloat(check.score) < config.warn_on_openssf_scorecard_level
? ':warning:'
: ':green_circle:'
detailsTable += `<tr><td>${check.name}</td><td>${icon} ${check.score}</td><td>${check.reason}</td></tr>`
}
detailsTable += `</table>`
core.summary.addRaw(
`<td><details><summary>Details</summary>${detailsTable}</details></td></tr>`,
true
)
} else {
core.summary.addRaw('<td>Unknown</td></tr>', true)
}
}
core.summary.addRaw(`</table>`)
if (scorecard.dependencies.length > 10) {
core.summary.addRaw(`</details>`)
}
}
export function addSnapshotWarnings(
config: ConfigurationOptions,
warnings: string