Compare commits

...

65 Commits

Author SHA1 Message Date
Federico Builes b83777ffd0 Merge pull request #156 from actions/dependabot/npm_and_yarn/types/node-16.11.44
Bump @types/node from 16.11.43 to 16.11.44
2022-07-14 09:11:42 +02:00
Federico Builes 1dc503a722 Merge pull request #155 from kachick/fix-154
Ignore removed changes in license checker
2022-07-14 09:10:17 +02:00
dependabot[bot] 8975a27eeb Bump @types/node from 16.11.43 to 16.11.44
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.43 to 16.11.44.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 01:36:49 +00:00
Kenichi Kamiya c003e7f8fc Add more test for added and removed pattern 2022-07-13 19:07:12 +09:00
Kenichi Kamiya ae4118f8fa Update build files with npm run all 2022-07-13 18:11:55 +09:00
Kenichi Kamiya c5d7bdcf7f Ignore removed changes in license checker 2022-07-13 18:11:10 +09:00
Federico Builes bced8aa1b2 Merge pull request #153 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.30.6
Bump @typescript-eslint/parser from 5.30.5 to 5.30.6
2022-07-12 09:07:41 +02:00
dependabot[bot] ba8e0b013b Bump @typescript-eslint/parser from 5.30.5 to 5.30.6
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.30.5 to 5.30.6.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.30.6/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-12 07:04:11 +00:00
Federico Builes cfcdef93a4 Merge pull request #152 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.30.6
Bump @typescript-eslint/eslint-plugin from 5.30.5 to 5.30.6
2022-07-12 09:03:21 +02:00
dependabot[bot] 43b6f9fe4a Bump @typescript-eslint/eslint-plugin from 5.30.5 to 5.30.6
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.30.5 to 5.30.6.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.30.6/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-12 01:46:01 +00:00
Federico Builes 467931ed7e Merge pull request #151 from actions/dependabot/npm_and_yarn/octokit/request-error-3.0.0
Bump @octokit/request-error from 2.1.0 to 3.0.0
2022-07-11 10:52:17 +02:00
Federico Builes 29c7e47bc6 adding dist folder 2022-07-11 10:49:16 +02:00
dependabot[bot] aa4260f0b0 Bump @octokit/request-error from 2.1.0 to 3.0.0
Bumps [@octokit/request-error](https://github.com/octokit/request-error.js) from 2.1.0 to 3.0.0.
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](https://github.com/octokit/request-error.js/compare/v2.1.0...v3.0.0)

---
updated-dependencies:
- dependency-name: "@octokit/request-error"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-11 02:03:02 +00:00
Federico Builes f187f64fc9 Merge pull request #139 from actions/dependabot/npm_and_yarn/eslint-8.19.0
Bump eslint from 8.18.0 to 8.19.0
2022-07-06 11:09:37 +02:00
Federico Builes f3bcf122c7 Merge pull request #144 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.30.5
Bump @typescript-eslint/eslint-plugin from 5.30.0 to 5.30.5
2022-07-06 11:09:15 +02:00
dependabot[bot] c43f51429e Bump @typescript-eslint/eslint-plugin from 5.30.0 to 5.30.5
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.30.0 to 5.30.5.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.30.5/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-06 09:02:16 +00:00
dependabot[bot] c9027d07d6 Bump eslint from 8.18.0 to 8.19.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.18.0 to 8.19.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.18.0...v8.19.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-06 09:02:10 +00:00
Federico Builes c316251843 Merge pull request #146 from kachick/add-vscode-workspace-configs
Enable prettier and recommend eslint in vscode workspace config
2022-07-06 11:01:23 +02:00
Federico Builes d8e436b2d5 Merge pull request #143 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.30.5
Bump @typescript-eslint/parser from 5.30.0 to 5.30.5
2022-07-06 11:01:06 +02:00
Federico Builes 82d4814150 Merge pull request #142 from kachick/fix-lint-errors-and-add-ci
Add CI workflow and fix lint errors
2022-07-06 11:00:13 +02:00
Federico Builes 89de8ab245 Merge pull request #148 from actions/dependabot/npm_and_yarn/nodemon-2.0.19
Bump nodemon from 2.0.18 to 2.0.19
2022-07-06 10:41:04 +02:00
dependabot[bot] 3e74bf2266 Bump @typescript-eslint/parser from 5.30.0 to 5.30.5
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.30.0 to 5.30.5.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.30.5/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-06 08:40:11 +00:00
Federico Builes 1ea517b3fa Merge pull request #141 from kachick/use-fixed-major-version-for-node-types
Use fixed major version for node types
2022-07-06 10:38:56 +02:00
Federico Builes 2aef88c152 Merge pull request #145 from kachick/fix-typo-dangerouns
Fix a typo s/dangerouns/dangerous/
2022-07-06 10:26:18 +02:00
Kenichi Kamiya 51d1824002 Focus only on the node issue
https://github.com/actions/dependency-review-action/pull/141#discussion_r914526073

https://github.com/actions/dependency-review-action/pull/141#discussion_r914537222

Co-authored-by: Federico Builes <febuiles@github.com>
2022-07-06 17:13:18 +09:00
dependabot[bot] 94edc9c394 Bump nodemon from 2.0.18 to 2.0.19
Bumps [nodemon](https://github.com/remy/nodemon) from 2.0.18 to 2.0.19.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v2.0.18...v2.0.19)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-06 02:07:14 +00:00
Kenichi Kamiya 7219e93649 Enable prettier and recommend eslint in vscode workspace config 2022-07-05 20:32:34 +09:00
Kenichi Kamiya 08074685be Fix a typo s/dangerouns/dangerous/ 2022-07-05 18:32:34 +09:00
Kenichi Kamiya 3efca1e3dd Update build files with npm run all 2022-07-04 20:13:08 +09:00
Kenichi Kamiya 9fdc2574b8 Fix rest eslint errors manually 2022-07-04 20:12:07 +09:00
Kenichi Kamiya 6e9189a5c1 npx eslint --fix src/**/*.ts 2022-07-04 20:12:07 +09:00
Kenichi Kamiya c6f347d470 npm run format 2022-07-04 20:12:07 +09:00
Kenichi Kamiya 40346e9340 Run test and linter in CI 2022-07-04 20:12:07 +09:00
Kenichi Kamiya 7f576504ed Stop dependabot PRs for different major version of types
It is possible to make a mismatch with actual logic.
2022-07-04 11:25:57 +09:00
Kenichi Kamiya 09100640b0 Adjust types of node to 16.x again
`npm uninstall @types/node && npm install --save-dev "@types/node@^16.11.43"`
2022-07-04 11:23:37 +09:00
Federico Builes 26b7908701 Merge pull request #136 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.30.0
Bump @typescript-eslint/eslint-plugin from 5.29.0 to 5.30.0
2022-06-28 08:04:16 +02:00
dependabot[bot] b564b42423 Bump @typescript-eslint/eslint-plugin from 5.29.0 to 5.30.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.29.0 to 5.30.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.30.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-28 05:56:11 +00:00
Federico Builes 2ceda66c21 Merge pull request #135 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.30.0
Bump @typescript-eslint/parser from 5.29.0 to 5.30.0
2022-06-28 07:55:08 +02:00
dependabot[bot] 49a36aa04e Bump @typescript-eslint/parser from 5.29.0 to 5.30.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.29.0 to 5.30.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.30.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-28 01:40:44 +00:00
Brandyn Phelps 17b8abf3bb Merge pull request #132 from kachick/fix-typo
docs: Fix a typo
2022-06-24 14:17:17 -07:00
Kenichi Kamiya c699fc9e3e docs: Fix a typo 2022-06-25 01:18:31 +09:00
Federico Builes 24ab96e8b8 Merge pull request #128 from actions/dependabot/npm_and_yarn/nodemon-2.0.18
Bump nodemon from 2.0.16 to 2.0.18
2022-06-24 08:37:57 +02:00
dependabot[bot] 04f86c1583 Bump nodemon from 2.0.16 to 2.0.18
Bumps [nodemon](https://github.com/remy/nodemon) from 2.0.16 to 2.0.18.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v2.0.16...v2.0.18)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-24 01:41:25 +00:00
Federico Builes 81b5cbd111 Merge pull request #127 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.29.0
Bump @typescript-eslint/parser from 5.28.0 to 5.29.0
2022-06-21 07:50:03 +02:00
dependabot[bot] 4b88091897 Bump @typescript-eslint/parser from 5.28.0 to 5.29.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.28.0 to 5.29.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.29.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-21 05:49:04 +00:00
Federico Builes febb822f26 Merge pull request #126 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.29.0
Bump @typescript-eslint/eslint-plugin from 5.28.0 to 5.29.0
2022-06-21 07:48:11 +02:00
dependabot[bot] ea91d29cdf Bump @typescript-eslint/eslint-plugin from 5.28.0 to 5.29.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.28.0 to 5.29.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.29.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-21 01:51:23 +00:00
Federico Builes a9539be12a Merge pull request #123 from actions/dependabot/npm_and_yarn/typescript-4.7.4
Bump typescript from 4.7.3 to 4.7.4
2022-06-20 08:14:45 +02:00
Federico Builes 9c688a568f Merge pull request #124 from actions/dependabot/npm_and_yarn/eslint-8.18.0
Bump eslint from 8.17.0 to 8.18.0
2022-06-20 08:14:26 +02:00
dependabot[bot] ff449a1296 Bump eslint from 8.17.0 to 8.18.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.17.0 to 8.18.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.17.0...v8.18.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-20 01:47:10 +00:00
dependabot[bot] 2a961b0169 Bump typescript from 4.7.3 to 4.7.4
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.7.3 to 4.7.4.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.7.3...v4.7.4)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-20 01:46:55 +00:00
Federico Builes 879687b22c Merge pull request #122 from actions/dependabot/npm_and_yarn/prettier-2.7.1
Bump prettier from 2.7.0 to 2.7.1
2022-06-17 07:40:15 +02:00
dependabot[bot] cb52804670 Bump prettier from 2.7.0 to 2.7.1
Bumps [prettier](https://github.com/prettier/prettier) from 2.7.0 to 2.7.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.7.0...2.7.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-17 01:54:43 +00:00
Federico Builes 17187536c0 Merge pull request #120 from actions/dependabot/npm_and_yarn/types/node-18.0.0
Bump @types/node from 17.0.43 to 18.0.0
2022-06-16 07:18:52 +02:00
Federico Builes c0faf55fe4 Merge pull request #119 from actions/dependabot/npm_and_yarn/actions/core-1.9.0
Bump @actions/core from 1.8.2 to 1.9.0
2022-06-16 07:18:37 +02:00
Federico Builes b6f6142660 adding dist files 2022-06-16 07:07:13 +02:00
Federico Builes 333e7ce17e Merge branch 'main' into dependabot/npm_and_yarn/actions/core-1.9.0 2022-06-16 07:06:25 +02:00
Federico Builes 4e9a45ca5b Merge pull request #121 from kachick/fix-duplicate-words
Fix duplicate words in README
2022-06-16 06:58:18 +02:00
dependabot[bot] 32a1ef9487 Bump @actions/core from 1.8.2 to 1.9.0
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.8.2 to 1.9.0.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-16 04:57:11 +00:00
Federico Builes 83be5f6c90 bumping version 2022-06-16 06:56:22 +02:00
Kenichi Kamiya 70f41926ca Fix duplicate words in README 2022-06-16 13:06:54 +09:00
Federico Builes 1c59cdf2a9 Fix the unknown licenses error message 2022-06-16 06:03:16 +02:00
dependabot[bot] ba0681f88b Bump @types/node from 17.0.43 to 18.0.0
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 17.0.43 to 18.0.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-16 01:32:41 +00:00
Federico Builes 29fc7a23bd Merge pull request #117 from actions/readme-capitalisation
Fixing branding in the readme
2022-06-15 15:40:19 +02:00
Courtney Claessens 903977c63a branding! 2022-06-15 09:32:17 -04:00
15 changed files with 524 additions and 1266 deletions
+3
View File
@@ -9,3 +9,6 @@ updates:
directory: /
schedule:
interval: daily
ignore:
- dependency-name: '@types/node'
update-types: ['version-update:semver-major']
+42
View File
@@ -0,0 +1,42 @@
name: CI
on:
push:
branches:
- main
paths-ignore:
- '**.md'
pull_request:
paths-ignore:
- '**.md'
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
- name: Test
run: |
npm test
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
- name: Check format
run: |
npm run format-check
- name: Lint
run: |
npm run lint
+3
View File
@@ -0,0 +1,3 @@
{
"recommendations": ["dbaeumer.vscode-eslint", "esbenp.prettier-vscode"]
}
+4
View File
@@ -0,0 +1,4 @@
{
"editor.formatOnSave": true,
"editor.defaultFormatter": "esbenp.prettier-vscode"
}
+2 -2
View File
@@ -2,7 +2,7 @@
This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
@@ -52,7 +52,7 @@ jobs:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# You can only can only include one of these two options: `allow-licenses` and `deny-licences`
# You can only include one of these two options: `allow-licenses` and `deny-licenses`
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
+2 -2
View File
@@ -15,7 +15,7 @@ let npmChange: Change = {
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerouns',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
@@ -34,7 +34,7 @@ let rubyChange: Change = {
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerouns',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
+30 -2
View File
@@ -15,7 +15,7 @@ let npmChange: Change = {
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerouns',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
@@ -34,7 +34,7 @@ let rubyChange: Change = {
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerouns',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
@@ -68,3 +68,31 @@ test('it fails all license checks when allow is provided an empty array', async
})
expect(invalidChanges.length).toBe(2)
})
test('it does not fail if a license outside the allow list is found in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges).toStrictEqual([])
})
test('it does not fail if a license inside the deny list is found in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
expect(invalidChanges).toStrictEqual([])
})
test('it fails if a license outside the allow list is found in both of added and removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
npmChange,
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges).toStrictEqual([npmChange])
})
Generated Vendored
+177 -18
View File
@@ -81,11 +81,14 @@ exports.getDeniedLicenseChanges = void 0;
* @returns {[Array<Change>, Array<Change]} A tuple where the first element is the list of denied changes and the second one is the list of changes with unknown licenses
*/
function getDeniedLicenseChanges(changes, licenses) {
let { allow, deny } = licenses;
let disallowed = [];
let unknown = [];
const { allow, deny } = licenses;
const disallowed = [];
const unknown = [];
for (const change of changes) {
let license = change.license;
if (change.change_type === 'removed') {
continue;
}
const license = change.license;
if (license === null) {
unknown.push(change);
continue;
@@ -171,14 +174,14 @@ function run() {
baseRef: pull_request.base.sha,
headRef: pull_request.head.sha
});
let config = (0, config_1.readConfig)();
let minSeverity = config.fail_on_severity;
const config = (0, config_1.readConfig)();
const minSeverity = config.fail_on_severity;
let failed = false;
let licenses = {
const licenses = {
allow: config.allow_licenses,
deny: config.deny_licenses
};
let filteredChanges = (0, filter_1.filterChangesBySeverity)(minSeverity, changes);
const filteredChanges = (0, filter_1.filterChangesBySeverity)(minSeverity, changes);
for (const change of filteredChanges) {
if (change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
@@ -187,9 +190,9 @@ function run() {
failed = true;
}
}
let [licenseErrors, unknownLicenses] = (0, licenses_1.getDeniedLicenseChanges)(changes, licenses);
const [licenseErrors, unknownLicenses] = (0, licenses_1.getDeniedLicenseChanges)(changes, licenses);
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors, licenses);
printLicensesError(licenseErrors);
core.setFailed('Dependency review detected incompatible licenses.');
}
printNullLicenses(unknownLicenses);
@@ -233,17 +236,19 @@ function renderSeverity(severity) {
}[severity];
return `${ansi_styles_1.default.color[color].open}(${severity} severity)${ansi_styles_1.default.color[color].close}`;
}
function printLicensesError(changes, licenses) {
if (changes.length == 0) {
function printLicensesError(changes) {
if (changes.length === 0) {
return;
}
let { allow = [], deny = [] } = licenses;
core.info('\nThe following dependencies have incompatible licenses:\n');
for (const change of changes) {
core.info(`${ansi_styles_1.default.bold.open}${change.manifest} » ${change.name}@${change.version}${ansi_styles_1.default.bold.close} License: ${ansi_styles_1.default.color.red.open}${change.license}${ansi_styles_1.default.color.red.close}`);
}
}
function printNullLicenses(changes) {
if (changes.length === 0) {
return;
}
core.info('\nWe could not detect a license for the following dependencies:\n');
for (const change of changes) {
core.info(`${ansi_styles_1.default.bold.open}${change.manifest} » ${change.name}@${change.version}${ansi_styles_1.default.bold.close}`);
@@ -317,7 +322,7 @@ exports.ConfigurationOptionsSchema = z
deny_licenses: z.array(z.string()).default([])
})
.partial()
.refine(obj => !(obj.allow_licenses && obj.deny_licenses), "Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other.");
.refine(obj => !(obj.allow_licenses && obj.deny_licenses), 'Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other.');
exports.ChangesSchema = z.array(exports.ChangeSchema);
@@ -747,6 +752,13 @@ Object.defineProperty(exports, "summary", ({ enumerable: true, get: function ()
*/
var summary_2 = __nccwpck_require__(1327);
Object.defineProperty(exports, "markdownSummary", ({ enumerable: true, get: function () { return summary_2.markdownSummary; } }));
/**
* Path exports
*/
var path_utils_1 = __nccwpck_require__(2981);
Object.defineProperty(exports, "toPosixPath", ({ enumerable: true, get: function () { return path_utils_1.toPosixPath; } }));
Object.defineProperty(exports, "toWin32Path", ({ enumerable: true, get: function () { return path_utils_1.toWin32Path; } }));
Object.defineProperty(exports, "toPlatformPath", ({ enumerable: true, get: function () { return path_utils_1.toPlatformPath; } }));
//# sourceMappingURL=core.js.map
/***/ }),
@@ -884,6 +896,71 @@ exports.OidcClient = OidcClient;
/***/ }),
/***/ 2981:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.toPlatformPath = exports.toWin32Path = exports.toPosixPath = void 0;
const path = __importStar(__nccwpck_require__(1017));
/**
* toPosixPath converts the given path to the posix form. On Windows, \\ will be
* replaced with /.
*
* @param pth. Path to transform.
* @return string Posix path.
*/
function toPosixPath(pth) {
return pth.replace(/[\\]/g, '/');
}
exports.toPosixPath = toPosixPath;
/**
* toWin32Path converts the given path to the win32 form. On Linux, / will be
* replaced with \\.
*
* @param pth. Path to transform.
* @return string Win32 path.
*/
function toWin32Path(pth) {
return pth.replace(/[/]/g, '\\');
}
exports.toWin32Path = toWin32Path;
/**
* toPlatformPath converts the given path to a platform-specific path. It does
* this by replacing instances of / and \ with the platform-specific path
* separator.
*
* @param pth The path to platformize.
* @return string The platform-specific path.
*/
function toPlatformPath(pth) {
return pth.replace(/[/\\]/g, path.sep);
}
exports.toPlatformPath = toPlatformPath;
//# sourceMappingURL=path-utils.js.map
/***/ }),
/***/ 1327:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
@@ -4413,7 +4490,7 @@ var endpoint = __nccwpck_require__(9440);
var universalUserAgent = __nccwpck_require__(5030);
var isPlainObject = __nccwpck_require__(3287);
var nodeFetch = _interopDefault(__nccwpck_require__(467));
var requestError = __nccwpck_require__(537);
var requestError = __nccwpck_require__(13);
const VERSION = "5.6.3";
@@ -4582,6 +4659,88 @@ exports.request = request;
//# sourceMappingURL=index.js.map
/***/ }),
/***/ 13:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
function _interopDefault (ex) { return (ex && (typeof ex === 'object') && 'default' in ex) ? ex['default'] : ex; }
var deprecation = __nccwpck_require__(8932);
var once = _interopDefault(__nccwpck_require__(1223));
const logOnceCode = once(deprecation => console.warn(deprecation));
const logOnceHeaders = once(deprecation => console.warn(deprecation));
/**
* Error with extra properties to help with debugging
*/
class RequestError extends Error {
constructor(message, statusCode, options) {
super(message); // Maintains proper stack trace (only available on V8)
/* istanbul ignore next */
if (Error.captureStackTrace) {
Error.captureStackTrace(this, this.constructor);
}
this.name = "HttpError";
this.status = statusCode;
let headers;
if ("headers" in options && typeof options.headers !== "undefined") {
headers = options.headers;
}
if ("response" in options) {
this.response = options.response;
headers = options.response.headers;
} // redact request credentials without mutating original request options
const requestCopy = Object.assign({}, options.request);
if (options.request.headers.authorization) {
requestCopy.headers = Object.assign({}, options.request.headers, {
authorization: options.request.headers.authorization.replace(/ .*$/, " [REDACTED]")
});
}
requestCopy.url = requestCopy.url // client_id & client_secret can be passed as URL query parameters to increase rate limit
// see https://developer.github.com/v3/#increasing-the-unauthenticated-rate-limit-for-oauth-applications
.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]") // OAuth tokens can be passed as URL query parameters, although it is not recommended
// see https://developer.github.com/v3/#oauth2-token-sent-in-a-header
.replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
this.request = requestCopy; // deprecations
Object.defineProperty(this, "code", {
get() {
logOnceCode(new deprecation.Deprecation("[@octokit/request-error] `error.code` is deprecated, use `error.status`."));
return statusCode;
}
});
Object.defineProperty(this, "headers", {
get() {
logOnceHeaders(new deprecation.Deprecation("[@octokit/request-error] `error.headers` is deprecated, use `error.response.headers`."));
return headers || {};
}
});
}
}
exports.RequestError = RequestError;
//# sourceMappingURL=index.js.map
/***/ }),
/***/ 3682:
@@ -13739,13 +13898,13 @@ const schemas_1 = __nccwpck_require__(1129);
function filterChangesBySeverity(severity, changes) {
const severityIdx = schemas_1.SEVERITIES.indexOf(severity);
let filteredChanges = [];
for (let change of changes) {
for (const change of changes) {
if (change === undefined ||
change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0) {
continue;
}
let fChange = Object.assign(Object.assign({}, change), { vulnerabilities: change.vulnerabilities.filter(vuln => {
const fChange = Object.assign(Object.assign({}, change), { vulnerabilities: change.vulnerabilities.filter(vuln => {
const vulnIdx = schemas_1.SEVERITIES.indexOf(vuln.severity);
if (vulnIdx <= severityIdx) {
return true;
@@ -13825,7 +13984,7 @@ exports.ConfigurationOptionsSchema = z
deny_licenses: z.array(z.string()).default([])
})
.partial()
.refine(obj => !(obj.allow_licenses && obj.deny_licenses), "Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other.");
.refine(obj => !(obj.allow_licenses && obj.deny_licenses), 'Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other.');
exports.ChangesSchema = z.array(exports.ChangeSchema);
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+218 -1198
View File
File diff suppressed because it is too large Load Diff
+11 -11
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "2.0.1",
"version": "2.0.2",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,30 +25,30 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.8.2",
"@actions/core": "^1.9.0",
"@actions/github": "^5.0.3",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/request-error": "^2.1.0",
"@octokit/request-error": "^3.0.0",
"ansi-styles": "^6.1.0",
"got": "^12.1.0",
"nodemon": "^2.0.16",
"nodemon": "^2.0.19",
"yaml": "^2.1.1",
"zod": "^3.17.3"
},
"devDependencies": {
"@types/node": "^17.0.43",
"@typescript-eslint/eslint-plugin": "^5.28.0",
"@typescript-eslint/parser": "^5.28.0",
"@types/node": "^16.11.44",
"@typescript-eslint/eslint-plugin": "^5.30.6",
"@typescript-eslint/parser": "^5.30.6",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.17.0",
"eslint": "^8.19.0",
"eslint-plugin-github": "^4.3.6",
"eslint-plugin-jest": "^26.5.3",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.16",
"prettier": "2.7.0",
"nodemon": "^2.0.19",
"prettier": "2.7.1",
"ts-jest": "^27.1.4",
"typescript": "^4.7.3"
"typescript": "^4.7.4"
}
}
+3 -4
View File
@@ -1,5 +1,4 @@
import {Changes} from './schemas'
import {Severity, SEVERITIES} from './schemas'
import {Changes, Severity, SEVERITIES} from './schemas'
export function filterChangesBySeverity(
severity: Severity,
@@ -7,7 +6,7 @@ export function filterChangesBySeverity(
): Changes {
const severityIdx = SEVERITIES.indexOf(severity)
let filteredChanges = []
for (let change of changes) {
for (const change of changes) {
if (
change === undefined ||
change.vulnerabilities === undefined ||
@@ -16,7 +15,7 @@ export function filterChangesBySeverity(
continue
}
let fChange = {
const fChange = {
...change,
vulnerabilities: change.vulnerabilities.filter(vuln => {
const vulnIdx = SEVERITIES.indexOf(vuln.severity)
+13 -9
View File
@@ -1,4 +1,4 @@
import {Change, ChangeSchema} from './schemas'
import {Change} from './schemas'
/**
* Loops through a list of changes, filtering and returning the
@@ -13,19 +13,23 @@ import {Change, ChangeSchema} from './schemas'
* @returns {[Array<Change>, Array<Change]} A tuple where the first element is the list of denied changes and the second one is the list of changes with unknown licenses
*/
export function getDeniedLicenseChanges(
changes: Array<Change>,
changes: Change[],
licenses: {
allow?: Array<string>
deny?: Array<string>
allow?: string[]
deny?: string[]
}
): [Array<Change>, Array<Change>] {
let {allow, deny} = licenses
): [Change[], Change[]] {
const {allow, deny} = licenses
let disallowed: Change[] = []
let unknown: Change[] = []
const disallowed: Change[] = []
const unknown: Change[] = []
for (const change of changes) {
let license = change.license
if (change.change_type === 'removed') {
continue
}
const license = change.license
if (license === null) {
unknown.push(change)
continue
+14 -18
View File
@@ -27,16 +27,16 @@ async function run(): Promise<void> {
headRef: pull_request.head.sha
})
let config = readConfig()
let minSeverity = config.fail_on_severity
const config = readConfig()
const minSeverity = config.fail_on_severity
let failed = false
let licenses = {
const licenses = {
allow: config.allow_licenses,
deny: config.deny_licenses
}
let filteredChanges = filterChangesBySeverity(
const filteredChanges = filterChangesBySeverity(
minSeverity as Severity,
changes
)
@@ -52,13 +52,13 @@ async function run(): Promise<void> {
}
}
let [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
const [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
changes,
licenses
)
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors, licenses)
printLicensesError(licenseErrors)
core.setFailed('Dependency review detected incompatible licenses.')
}
@@ -90,7 +90,7 @@ async function run(): Promise<void> {
}
}
function printChangeVulnerabilities(change: Change) {
function printChangeVulnerabilities(change: Change): void {
for (const vuln of change.vulnerabilities) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${
@@ -117,19 +117,11 @@ function renderSeverity(
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
}
function printLicensesError(
changes: Array<Change>,
licenses: {
allow?: Array<string>
deny?: Array<string>
}
): void {
if (changes.length == 0) {
function printLicensesError(changes: Change[]): void {
if (changes.length === 0) {
return
}
let {allow = [], deny = []} = licenses
core.info('\nThe following dependencies have incompatible licenses:\n')
for (const change of changes) {
core.info(
@@ -138,7 +130,11 @@ function printLicensesError(
}
}
function printNullLicenses(changes: Array<Change>): void {
function printNullLicenses(changes: Change[]): void {
if (changes.length === 0) {
return
}
core.info('\nWe could not detect a license for the following dependencies:\n')
for (const change of changes) {
core.info(
+1 -1
View File
@@ -39,7 +39,7 @@ export const ConfigurationOptionsSchema = z
.partial()
.refine(
obj => !(obj.allow_licenses && obj.deny_licenses),
"Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other."
'Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other.'
)
export const ChangesSchema = z.array(ChangeSchema)