Compare commits

...

86 Commits

Author SHA1 Message Date
Federico Builes 1ade604b58 adding spdx-satisfies 2022-10-04 15:46:53 +02:00
Federico Builes cc2a6ab32f Merge pull request #268 from actions/dependabot/npm_and_yarn/yaml-2.1.2
Bump yaml from 2.1.1 to 2.1.2
2022-10-03 11:32:30 +02:00
Federico Builes 5de8be4c40 Merge branch 'main' into dependabot/npm_and_yarn/yaml-2.1.2
# Conflicts:
#	dist/index.js.map
2022-10-03 11:31:02 +02:00
Federico Builes 1b8bd021a3 adding dist 2022-10-03 11:29:46 +02:00
Federico Builes 65d8cd176f Merge pull request #267 from actions/dependabot/npm_and_yarn/types/node-16.11.63
Bump @types/node from 16.11.62 to 16.11.63
2022-10-03 11:29:23 +02:00
Federico Builes 6d500ff869 Merge pull request #266 from actions/dependabot/npm_and_yarn/actions/github-5.1.1
Bump @actions/github from 5.1.0 to 5.1.1
2022-10-03 11:29:14 +02:00
Federico Builes 0259ed8420 add dist 2022-10-03 11:28:16 +02:00
dependabot[bot] ec636f3d19 Bump yaml from 2.1.1 to 2.1.2
Bumps [yaml](https://github.com/eemeli/yaml) from 2.1.1 to 2.1.2.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.1.1...v2.1.2)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 02:06:25 +00:00
dependabot[bot] 367e85631b Bump @types/node from 16.11.62 to 16.11.63
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.62 to 16.11.63.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 02:05:36 +00:00
dependabot[bot] abf7b5a775 Bump @actions/github from 5.1.0 to 5.1.1
Bumps [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) from 5.1.0 to 5.1.1.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/github"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 02:05:00 +00:00
Federico Builes ba85772f4b Merge pull request #265 from actions/dependabot/npm_and_yarn/actions/core-1.10.0
Bump @actions/core from 1.9.1 to 1.10.0
2022-09-30 09:09:00 +02:00
Federico Builes 8d812df813 adding dist 2022-09-30 09:07:38 +02:00
dependabot[bot] 63e12b21ed Bump @actions/core from 1.9.1 to 1.10.0
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.9.1 to 1.10.0.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-30 01:45:02 +00:00
Federico Builes 0385b5b162 Merge pull request #248 from actions/add-scanned-deps
Add scanned deps
2022-09-28 10:53:37 +02:00
Federico Builes 8e053e0f5e Merge pull request #262 from actions/dependabot/npm_and_yarn/typescript-4.8.4
Bump typescript from 4.8.3 to 4.8.4
2022-09-28 08:04:35 +02:00
Federico Builes e0ff0cf732 Merge pull request #261 from actions/dependabot/npm_and_yarn/got-12.5.1
Bump got from 12.5.0 to 12.5.1
2022-09-28 08:04:26 +02:00
dependabot[bot] ea65cbfc18 Bump typescript from 4.8.3 to 4.8.4
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.8.3 to 4.8.4.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.8.3...v4.8.4)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-28 01:29:19 +00:00
dependabot[bot] 5bf43a89cd Bump got from 12.5.0 to 12.5.1
Bumps [got](https://github.com/sindresorhus/got) from 12.5.0 to 12.5.1.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.5.0...v12.5.1)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-28 01:29:03 +00:00
Federico Builes 468485fc8e Clean up the main script a bit. 2022-09-27 12:25:12 +02:00
Federico Builes 46c9f79a1f Create utils.ts file for helper functions. 2022-09-27 12:23:05 +02:00
Federico Builes cd3f55e8f9 Add all the dependencies to the review summary too. 2022-09-27 11:52:15 +02:00
Federico Builes f832351766 Merge pull request #258 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.38.1
Bump @typescript-eslint/eslint-plugin from 5.38.0 to 5.38.1
2022-09-27 08:10:02 +02:00
dependabot[bot] f96ed229f4 Bump @typescript-eslint/eslint-plugin from 5.38.0 to 5.38.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.38.0 to 5.38.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.38.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-27 06:08:27 +00:00
Federico Builes 629703a27b Merge pull request #260 from actions/dependabot/npm_and_yarn/types/node-16.11.62
Bump @types/node from 16.11.60 to 16.11.62
2022-09-27 08:08:06 +02:00
Federico Builes d05bfb69a5 Merge pull request #259 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.38.1
Bump @typescript-eslint/parser from 5.38.0 to 5.38.1
2022-09-27 08:07:40 +02:00
dependabot[bot] 02bcebdd6e Bump @types/node from 16.11.60 to 16.11.62
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.60 to 16.11.62.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-27 01:30:25 +00:00
dependabot[bot] fbeabf7e29 Bump @typescript-eslint/parser from 5.38.0 to 5.38.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.38.0 to 5.38.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.38.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-27 01:30:16 +00:00
Federico Builes 0515f5cb39 Adding a skeleton for scanned dependencies in the summary. 2022-09-26 19:14:04 +02:00
Federico Builes 2d1d679f58 Move manifest grouping outside main.ts 2022-09-26 19:13:25 +02:00
Federico Builes a3563a05bc Use a set instead of raw JS objects. 2022-09-26 12:41:16 +02:00
Federico Builes 8a20ddbf25 try adding 3 sections 2022-09-26 12:21:24 +02:00
Federico Builes 2a646668d9 adding dist 2022-09-26 12:03:34 +02:00
Federico Builes 60be833ffd Update manifest formatting in output. 2022-09-26 12:01:39 +02:00
Federico Builes edc501a219 adding dist 2022-09-26 11:41:40 +02:00
Federico Builes 000837f2ac Don't nest groups. 2022-09-26 11:41:02 +02:00
Federico Builes 89f99d150a adding colors to the dep output 2022-09-26 11:35:05 +02:00
Federico Builes 0ed41eff02 Merge branch 'main' into add-scanned-deps 2022-09-26 11:34:43 +02:00
Federico Builes dbe70eb550 updating gitignore 2022-09-26 11:29:22 +02:00
Federico Builes 78c7c01396 Merge branch 'main' into add-scanned-deps
# Conflicts:
#	dist/index.js.map
2022-09-26 08:47:23 +02:00
Federico Builes 89a5c76329 Merge pull request #254 from actions/dependabot/npm_and_yarn/actions/github-5.1.0
Bump @actions/github from 5.0.3 to 5.1.0
2022-09-26 08:46:18 +02:00
Federico Builes 4a6d691283 adding dist 2022-09-26 08:45:09 +02:00
Federico Builes b58d457243 Merge pull request #253 from actions/dependabot/npm_and_yarn/types/node-16.11.60
Bump @types/node from 16.11.59 to 16.11.60
2022-09-26 08:42:47 +02:00
Federico Builes cc033856be Merge pull request #255 from actions/dependabot/npm_and_yarn/eslint-8.24.0
Bump eslint from 8.23.1 to 8.24.0
2022-09-26 08:04:38 +02:00
dependabot[bot] 8595e805a5 Bump eslint from 8.23.1 to 8.24.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.23.1 to 8.24.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.23.1...v8.24.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 01:55:41 +00:00
dependabot[bot] fa10a7f0d6 Bump @actions/github from 5.0.3 to 5.1.0
Bumps [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) from 5.0.3 to 5.1.0.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/github"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 01:54:35 +00:00
dependabot[bot] 6755d8aa71 Bump @types/node from 16.11.59 to 16.11.60
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.59 to 16.11.60.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 01:54:19 +00:00
Sarah Aladetan 375c537008 Updating to 2.4.0 2022-09-23 13:07:20 -07:00
Sarah Aladetan 98f28ebe06 Merge pull request #251 from actions/sarahkemi/ghsa-allowlist
Filter by vulnerability allow-list
2022-09-23 13:06:41 -07:00
Sarah Aladetan 716b322ec9 add allow-ghsas input to action.yml 2022-09-23 19:59:39 +00:00
Sarah Aladetan 12ae1bd550 Update wording in README.md
Co-authored-by: Federico Builes <febuiles@github.com>
2022-09-23 12:32:46 -07:00
Sarah Aladetan bcb52636bd build and package allow-ghsas 2022-09-22 22:58:43 +00:00
Sarah Aladetan 241ff73141 add doc on allow-ghsas to readme 2022-09-22 22:44:17 +00:00
Sarah Aladetan 062b749663 revise ghsa filter 2022-09-22 22:36:34 +00:00
Sarah Aladetan 4f00b72b84 filter allowed ghsas in action flow 2022-09-22 22:25:21 +00:00
Sarah Aladetan 602f968ea2 create a filter for vulns that are on the allowlist 2022-09-22 21:36:26 +00:00
Sarah Aladetan bd61ea0d9e create config option for ghsa allowlist 2022-09-22 21:34:18 +00:00
Federico Builes 8ec13c1f01 adding dist 2022-09-22 16:52:03 +02:00
Federico Builes 723ec8c0d3 Try showing information about the scanned dependencies. 2022-09-22 16:49:45 +02:00
Federico Builes 2843194510 Updating version. 2022-09-22 14:27:24 +02:00
Federico Builes 6944531f76 Update README.md 2022-09-22 14:26:27 +02:00
Federico Builes 29cdbbed37 Merge pull request #228 from actions/external-config
Add external configuration file
2022-09-22 14:22:39 +02:00
Federico Builes 88502badc9 Update README.md
Co-authored-by: Sarah Aladetan <sarahkemi@github.com>
2022-09-22 08:03:23 +02:00
Federico Builes ff7c97a976 adding dist 2022-09-21 17:03:01 +02:00
Federico Builes 4d3b8e5269 Clarify code a bit. 2022-09-21 17:01:00 +02:00
Federico Builes 38ee6e8360 Improve scopes example in new docs. 2022-09-21 16:53:20 +02:00
Federico Builes 54cd9a7cba Merge branch 'main' into external-config
# Conflicts:
#	README.md
#	__tests__/config.test.ts
#	dist/index.js.map
#	src/config.ts
#	src/schemas.ts
2022-09-21 16:50:02 +02:00
Federico Builes c4693c00ac Raise errors for invalid values in the external config. 2022-09-21 16:30:05 +02:00
Sarah Aladetan e89f113be2 add callout to checkout main when updating major version tag 2022-09-20 13:21:38 -07:00
Federico Builes eef7e39202 Accept options from both sources, prioritize external config. 2022-09-20 15:52:34 +02:00
Federico Builes 37dc32836b Merge branch 'main' into external-config 2022-09-20 15:29:28 +02:00
Federico Builes 890361387d Updating dist. 2022-09-20 15:16:25 +02:00
Federico Builes 61f19e6447 Let the users set the path for the config file. 2022-09-20 15:15:14 +02:00
Federico Builes aeb9ff5438 adding dist 2022-09-19 17:34:53 +02:00
Federico Builes 1ef21ab130 Leave a failing test for tomorrow! 2022-09-19 17:34:12 +02:00
Federico Builes 3c95902dd6 Adding more tests for the config file. 2022-09-19 17:29:25 +02:00
Federico Builes 4b4ec08f7b Make sure we get rid of the ridiculous dashes in the names. 2022-09-19 17:28:59 +02:00
Federico Builes a91c3ac205 Split reading inline/external configuration options. 2022-09-19 17:28:44 +02:00
Federico Builes bf0cb7fac4 Add a default config file. 2022-09-19 17:28:20 +02:00
Federico Builes 07a7056819 Update README to include config-file option. 2022-09-19 16:46:42 +02:00
Federico Builes b93fcee7ff Raise an error if the config file is not found. 2022-09-19 16:36:45 +02:00
Federico Builes 8bac022bfd Merge branch 'main' into external-config 2022-09-19 16:14:41 +02:00
Federico Builes 0ba71661e5 Adding failing tests. 2022-09-16 14:32:09 +02:00
Federico Builes 8ef181b2cb Read a hardcoded config file. 2022-09-16 14:30:57 +02:00
Federico Builes 7e2a489d03 Merge branch 'main' into external-config 2022-09-16 13:55:17 +02:00
Federico Builes 6dfe5fd567 Force line-breaks. 2022-09-06 14:36:50 +02:00
Federico Builes 71a0ed0a31 Updating the README to include instructions for both config file options. 2022-09-06 14:30:39 +02:00
20 changed files with 9396 additions and 369 deletions
+1
View File
@@ -0,0 +1 @@
fail-on-severity: low
+1
View File
@@ -1,4 +1,5 @@
event.json
.ruby-version
# Dependency directory
node_modules
+1 -1
View File
@@ -101,7 +101,7 @@ major version number (e.g. `v1`) in their workflows while
automatically getting all the
minor/patch updates.
To do this just force-create a new annotated tag and push it:
To do this just checkout `main`, force-create a new annotated tag, and push it:
```
git tag -fa v2 -m "Updating v2 to 2.3.4"
git push origin v2 --force
+143 -26
View File
@@ -64,9 +64,144 @@ jobs:
## Configuration
You can pass additional options to the Dependency Review
Action using your workflow file. Here's an example workflow with
all the possible configurations:
Configure this action by either using an external configuration file,
or by inlining these options in your workflow file.
## Configuration Options
### config-file
A string representing the path to an external configuraton file. By
default external configuration files are not used.
**Possible values**: A string representing the absolute path to the
configuration file.
**Example**: `config-file: ./.github/dependency-review-config.yml`.
### fail-on-severity
Configure the severity level for alerting. See "[Vulnerability Severity](https://github.com/actions/dependency-review-action#vulnerability-severity)".
**Possible values**: `critical`, `high`, `moderate`, `low`.
**Example**: `fail-on-severity: moderate`.
### fail-on-scopes
A list of strings representing the build environments you want to
support. The default value is `development, runtime`.
**Possible values**: `development`, `runtime`, `unknown`
**Inline example**: `fail-on-scopes: development, runtime`
**YAML example**:
```yaml
# this prevents scanning development dependencies
fail-on-scopes:
- runtime
```
### allow-licenses
Only allow the licenses in this list. See "[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `allow-licenses: BSD-3-Clause, MIT`
**YAML example**:
```yaml
allow-licenses:
- BSD-3-Clause
- MIT
```
### deny-licenses
Add a custom list of licenses you want to block. See
"[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `deny-licenses: LGPL-2.0, BSD-2-Clause`
**YAML example**:
```yaml
deny-licenses:
- LGPL-2.0
- BSD-2-Clause
```
### allow-ghsas
Add a custom list of GitHub Advisory IDs that can be skipped during detection.
**Possible values**: Any valid advisory GHSA ids.
**Inline example**: `allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679`
**YAML example**:
```yaml
allow-ghsas:
- GHSA-abcd-1234-5679
- GHSA-efgh-1234-5679
```
### base-ref/head-ref
Provide custom git references for the git base/head when performing
the comparison. If you are using pull requests, or
`pull_request_target` events you do not need to worry about setting
this. The values need to be specified for all other event types.
**Possible values**: Any valid git ref(s) in your project.
**Example**:
```yaml
base-ref: 8bb8a58d6a4028b6c2e314d5caaf273f57644896
head-ref: 69af5638bf660cf218aad5709a4c100e42a2f37b
```
### Configuration File
You can use an external configuration file to specify the settings for
this Action.
Start by specifying that you will be using an external configuration
file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
config-file: './.github/dependency-review-config.yml'
```
And then create the file in the path you just specified. **All of these fields are
optional**:
```yaml
fail-on-severity: 'critical'
allow-licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
### Inline Configuration
You can pass options to the Dependency Review
Action using your workflow file. Here's an example of what the full
file would look like:
```yaml
name: 'Dependency Review'
@@ -82,29 +217,11 @@ jobs:
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# Possible values in comma separated list: "unknown", "runtime", or "development"
# fail-on-scopes: runtime, development
#
# Possible values: Any available git ref
# base-ref: ${{ github.event.pull_request.base.ref }}
# head-ref: ${{ github.event.pull_request.head.ref }}
#
# You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on Enterprise Server.
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# deny-licenses: LGPL-2.0, BSD-2-Clause
```
fail-on-severity: moderate
When the workflow with this action is caused by a `pull_request` or `pull_request_target` event,
the `base-ref` and `head-ref` values have the defaults as shown above. If the workflow is caused by
any other event, the `base-ref` and `head-ref` options must be
explicitly set in the configuration file.
# Use comma-separated names to pass list arguments:
deny-licenses: LGPL-2.0, BSD-2-Clause
```
### Vulnerability Severity
@@ -161,7 +278,7 @@ to filter. A couple of examples:
deny-licenses: Apache-1.1, Apache-2.0
```
**Important**
### Considerations
- Checking for licenses is not supported on Enterprise Server.
- The action will only accept one of the two parameters; an error will
+74 -1
View File
@@ -1,5 +1,5 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {readConfig, readConfigFile} from '../src/config'
import {getRefs} from '../src/git-refs'
// GitHub Action inputs come in the form of environment variables
@@ -16,6 +16,8 @@ function clearInputs() {
'FAIL-ON-SCOPES',
'ALLOW-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF'
]
@@ -84,10 +86,66 @@ test('it raises an error when no refs are provided and the event is not a pull r
).toThrow()
})
test('it reads an external config file', async () => {
let options = readConfigFile('./__tests__/fixtures/config-allow-sample.yml')
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('raises an error when the the config file was not found', async () => {
expect(() => readConfigFile('fixtures/i-dont-exist')).toThrow()
})
test('it parses options from both sources', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
let options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
setInput('base-ref', 'a-custom-base-ref')
options = readConfig()
expect(options.base_ref).toEqual('a-custom-base-ref')
})
test('in case of conflicts, the external config is the source of truth', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml') // this will set fail-on-severity to 'critical'
let options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
// this should not overwite the previous value
setInput('fail-on-severity', 'low')
options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
})
test('it uses the default values when loading external files', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
let options = readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
setInput('config-file', './__tests__/fixtures/license-config-sample.yml')
options = readConfig()
expect(options.fail_on_severity).toEqual('low')
})
test('it accepts an external configuration filename', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
const options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
})
test('it raises an error when given an unknown severity in an external config file', async () => {
setInput('config-file', './__tests__/fixtures/invalid-severity-config.yml')
expect(() => readConfig()).toThrow()
})
test('it defaults to runtime scope', async () => {
const options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime'])
})
test('it parses custom scopes preference', async () => {
setInput('fail-on-scopes', 'runtime, development')
let options = readConfig()
@@ -98,7 +156,22 @@ test('it parses custom scopes preference', async () => {
options = readConfig()
expect(options.fail_on_scopes).toEqual(['development'])
})
test('it raises an error when given invalid scope', async () => {
setInput('fail-on-scopes', 'runtime, zombies')
expect(() => readConfig()).toThrow()
})
test('it defaults to an empty GHSA allowlist', async () => {
const options = readConfig()
expect(options.allow_ghsas).toEqual(undefined)
})
test('it successfully parses GHSA allowlist', async () => {
setInput('allow-ghsas', 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679')
const options = readConfig()
expect(options.allow_ghsas).toEqual([
'GHSA-abcd-1234-5679',
'GHSA-efgh-1234-5679'
])
})
+44 -1
View File
@@ -1,6 +1,10 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {filterChangesBySeverity, filterChangesByScopes} from '../src/filter'
import {
filterChangesBySeverity,
filterChangesByScopes,
filterOutAllowedAdvisories
} from '../src/filter'
let npmChange: Change = {
manifest: 'package.json',
@@ -48,6 +52,19 @@ let rubyChange: Change = {
]
}
let noVulnNpmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'helpful',
version: '1.0.0',
package_url: 'pkg:npm/helpful@1.0.0',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: []
}
test('it properly filters changes by severity', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesBySeverity('high', changes)
@@ -72,3 +89,29 @@ test('it properly filters changes by scope', async () => {
result = filterChangesByScopes(['runtime', 'development'], changes)
expect(result).toEqual([npmChange, rubyChange])
})
test('it properly filters changes with allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterOutAllowedAdvisories(['notrealGHSAID'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
result = filterOutAllowedAdvisories(['first-random_string'], changes)
expect(result).toEqual([rubyChange, noVulnNpmChange])
result = filterOutAllowedAdvisories(
['second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([npmChange, noVulnNpmChange])
result = filterOutAllowedAdvisories(
['first-random_string', 'second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([noVulnNpmChange])
// if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change
result = filterOutAllowedAdvisories(['second-random_string'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
@@ -0,0 +1,3 @@
fail-on-severity: 'so many zombies'
deny-licenses:
- MIT
@@ -0,0 +1 @@
allow_licenses: ['MIT', 'GPL 2']
+6
View File
@@ -20,12 +20,18 @@ inputs:
head-ref:
description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
required: false
config-file:
description: A filepath to the configuration file for the action.
required: false
allow-licenses:
description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
deny-licenses:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-ghsas:
description: Comma-separated list of allowed Github Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+8554 -88
View File
File diff suppressed because it is too large Load Diff
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+17
View File
@@ -697,6 +697,23 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
yaml
ISC
Copyright Eemeli Aro <eemeli@gmail.com>
Permission to use, copy, modify, and/or distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright notice
and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
THIS SOFTWARE.
zod
MIT
MIT License
+278 -164
View File
@@ -1,31 +1,32 @@
{
"name": "dependency-review-action",
"version": "2.1.0",
"version": "2.4.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "dependency-review-action",
"version": "2.1.0",
"version": "2.4.0",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.9.1",
"@actions/github": "^5.0.3",
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/request-error": "^3.0.1",
"ansi-styles": "^6.1.1",
"got": "^12.5.0",
"got": "^12.5.1",
"nodemon": "^2.0.20",
"yaml": "^2.1.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.1.2",
"zod": "^3.19.1"
},
"devDependencies": {
"@types/node": "^16.11.59",
"@typescript-eslint/eslint-plugin": "^5.38.0",
"@typescript-eslint/parser": "^5.38.0",
"@types/node": "^16.11.63",
"@typescript-eslint/eslint-plugin": "^5.38.1",
"@typescript-eslint/parser": "^5.38.1",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.23.1",
"eslint": "^8.24.0",
"eslint-plugin-github": "^4.3.7",
"eslint-plugin-jest": "^27.0.4",
"jest": "^27.5.1",
@@ -33,22 +34,22 @@
"nodemon": "^2.0.20",
"prettier": "2.7.1",
"ts-jest": "^27.1.4",
"typescript": "^4.8.3"
"typescript": "^4.8.4"
}
},
"node_modules/@actions/core": {
"version": "1.9.1",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
"integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
"version": "1.10.0",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
"integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
"dependencies": {
"@actions/http-client": "^2.0.1",
"uuid": "^8.3.2"
}
},
"node_modules/@actions/github": {
"version": "5.0.3",
"resolved": "https://registry.npmjs.org/@actions/github/-/github-5.0.3.tgz",
"integrity": "sha512-myjA/pdLQfhUGLtRZC/J4L1RXOG4o6aYdiEq+zr5wVVKljzbFld+xv10k1FX6IkIJtNxbAq44BdwSNpQ015P0A==",
"version": "5.1.1",
"resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz",
"integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==",
"dependencies": {
"@actions/http-client": "^2.0.1",
"@octokit/core": "^3.6.0",
@@ -705,9 +706,9 @@
}
},
"node_modules/@humanwhocodes/config-array": {
"version": "0.10.4",
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.10.4.tgz",
"integrity": "sha512-mXAIHxZT3Vcpg83opl1wGlVZ9xydbfZO3r5YfRSH6Gpp2J/PfdBP0wbDa2sO6/qRbcalpoevVyW6A/fI6LfeMw==",
"version": "0.10.5",
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.10.5.tgz",
"integrity": "sha512-XVVDtp+dVvRxMoxSiSfasYaG02VEe1qH5cKgMQJWhol6HwzbcqoCMJi8dAGoYAO57jhUyhI6cWuRiTcRaDaYug==",
"dev": true,
"dependencies": {
"@humanwhocodes/object-schema": "^1.2.1",
@@ -1393,6 +1394,11 @@
"@types/node": "*"
}
},
"node_modules/@types/http-cache-semantics": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/@types/http-cache-semantics/-/http-cache-semantics-4.0.1.tgz",
"integrity": "sha512-SZs7ekbP8CN0txVG2xVRH6EgKmEm31BOxA07vkFaETzZz1xh+cbt8BcI0slpymvwhx5dlFnQG2rTlPVQn+iRPQ=="
},
"node_modules/@types/istanbul-lib-coverage": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/@types/istanbul-lib-coverage/-/istanbul-lib-coverage-2.0.3.tgz",
@@ -1430,9 +1436,9 @@
"dev": true
},
"node_modules/@types/node": {
"version": "16.11.59",
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.59.tgz",
"integrity": "sha512-6u+36Dj3aDzhfBVUf/mfmc92OEdzQ2kx2jcXGdigfl70E/neV21ZHE6UCz4MDzTRcVqGAM27fk+DLXvyDsn3Jw==",
"version": "16.11.63",
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.63.tgz",
"integrity": "sha512-3OxnrEQLBz8EIIaHpg3CibmTAEGkDBcHY4fL5cnBwg2vd2yvHrUDGWxK+MlYPeXWWIoJJW79dGtU+oeBr6166Q==",
"dev": true
},
"node_modules/@types/prettier": {
@@ -1463,14 +1469,14 @@
"dev": true
},
"node_modules/@typescript-eslint/eslint-plugin": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.38.0.tgz",
"integrity": "sha512-GgHi/GNuUbTOeoJiEANi0oI6fF3gBQc3bGFYj40nnAPCbhrtEDf2rjBmefFadweBmO1Du1YovHeDP2h5JLhtTQ==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.38.1.tgz",
"integrity": "sha512-ky7EFzPhqz3XlhS7vPOoMDaQnQMn+9o5ICR9CPr/6bw8HrFkzhMSxuA3gRfiJVvs7geYrSeawGJjZoZQKCOglQ==",
"dev": true,
"dependencies": {
"@typescript-eslint/scope-manager": "5.38.0",
"@typescript-eslint/type-utils": "5.38.0",
"@typescript-eslint/utils": "5.38.0",
"@typescript-eslint/scope-manager": "5.38.1",
"@typescript-eslint/type-utils": "5.38.1",
"@typescript-eslint/utils": "5.38.1",
"debug": "^4.3.4",
"ignore": "^5.2.0",
"regexpp": "^3.2.0",
@@ -1510,14 +1516,14 @@
}
},
"node_modules/@typescript-eslint/parser": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.38.0.tgz",
"integrity": "sha512-/F63giJGLDr0ms1Cr8utDAxP2SPiglaD6V+pCOcG35P2jCqdfR7uuEhz1GIC3oy4hkUF8xA1XSXmd9hOh/a5EA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.38.1.tgz",
"integrity": "sha512-LDqxZBVFFQnQRz9rUZJhLmox+Ep5kdUmLatLQnCRR6523YV+XhRjfYzStQ4MheFA8kMAfUlclHSbu+RKdRwQKw==",
"dev": true,
"dependencies": {
"@typescript-eslint/scope-manager": "5.38.0",
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/typescript-estree": "5.38.0",
"@typescript-eslint/scope-manager": "5.38.1",
"@typescript-eslint/types": "5.38.1",
"@typescript-eslint/typescript-estree": "5.38.1",
"debug": "^4.3.4"
},
"engines": {
@@ -1537,13 +1543,13 @@
}
},
"node_modules/@typescript-eslint/scope-manager": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.38.0.tgz",
"integrity": "sha512-ByhHIuNyKD9giwkkLqzezZ9y5bALW8VNY6xXcP+VxoH4JBDKjU5WNnsiD4HJdglHECdV+lyaxhvQjTUbRboiTA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.38.1.tgz",
"integrity": "sha512-BfRDq5RidVU3RbqApKmS7RFMtkyWMM50qWnDAkKgQiezRtLKsoyRKIvz1Ok5ilRWeD9IuHvaidaLxvGx/2eqTQ==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/visitor-keys": "5.38.0"
"@typescript-eslint/types": "5.38.1",
"@typescript-eslint/visitor-keys": "5.38.1"
},
"engines": {
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -1554,13 +1560,13 @@
}
},
"node_modules/@typescript-eslint/type-utils": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.38.0.tgz",
"integrity": "sha512-iZq5USgybUcj/lfnbuelJ0j3K9dbs1I3RICAJY9NZZpDgBYXmuUlYQGzftpQA9wC8cKgtS6DASTvF3HrXwwozA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.38.1.tgz",
"integrity": "sha512-UU3j43TM66gYtzo15ivK2ZFoDFKKP0k03MItzLdq0zV92CeGCXRfXlfQX5ILdd4/DSpHkSjIgLLLh1NtkOJOAw==",
"dev": true,
"dependencies": {
"@typescript-eslint/typescript-estree": "5.38.0",
"@typescript-eslint/utils": "5.38.0",
"@typescript-eslint/typescript-estree": "5.38.1",
"@typescript-eslint/utils": "5.38.1",
"debug": "^4.3.4",
"tsutils": "^3.21.0"
},
@@ -1581,9 +1587,9 @@
}
},
"node_modules/@typescript-eslint/types": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.38.0.tgz",
"integrity": "sha512-HHu4yMjJ7i3Cb+8NUuRCdOGu2VMkfmKyIJsOr9PfkBVYLYrtMCK/Ap50Rpov+iKpxDTfnqvDbuPLgBE5FwUNfA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.38.1.tgz",
"integrity": "sha512-QTW1iHq1Tffp9lNfbfPm4WJabbvpyaehQ0SrvVK2yfV79SytD9XDVxqiPvdrv2LK7DGSFo91TB2FgWanbJAZXg==",
"dev": true,
"engines": {
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -1594,13 +1600,13 @@
}
},
"node_modules/@typescript-eslint/typescript-estree": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.38.0.tgz",
"integrity": "sha512-6P0RuphkR+UuV7Avv7MU3hFoWaGcrgOdi8eTe1NwhMp2/GjUJoODBTRWzlHpZh6lFOaPmSvgxGlROa0Sg5Zbyg==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.38.1.tgz",
"integrity": "sha512-99b5e/Enoe8fKMLdSuwrfH/C0EIbpUWmeEKHmQlGZb8msY33qn1KlkFww0z26o5Omx7EVjzVDCWEfrfCDHfE7g==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/visitor-keys": "5.38.0",
"@typescript-eslint/types": "5.38.1",
"@typescript-eslint/visitor-keys": "5.38.1",
"debug": "^4.3.4",
"globby": "^11.1.0",
"is-glob": "^4.0.3",
@@ -1636,15 +1642,15 @@
}
},
"node_modules/@typescript-eslint/utils": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.38.0.tgz",
"integrity": "sha512-6sdeYaBgk9Fh7N2unEXGz+D+som2QCQGPAf1SxrkEr+Z32gMreQ0rparXTNGRRfYUWk/JzbGdcM8NSSd6oqnTA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.38.1.tgz",
"integrity": "sha512-oIuUiVxPBsndrN81oP8tXnFa/+EcZ03qLqPDfSZ5xIJVm7A9V0rlkQwwBOAGtrdN70ZKDlKv+l1BeT4eSFxwXA==",
"dev": true,
"dependencies": {
"@types/json-schema": "^7.0.9",
"@typescript-eslint/scope-manager": "5.38.0",
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/typescript-estree": "5.38.0",
"@typescript-eslint/scope-manager": "5.38.1",
"@typescript-eslint/types": "5.38.1",
"@typescript-eslint/typescript-estree": "5.38.1",
"eslint-scope": "^5.1.1",
"eslint-utils": "^3.0.0"
},
@@ -1660,12 +1666,12 @@
}
},
"node_modules/@typescript-eslint/visitor-keys": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.38.0.tgz",
"integrity": "sha512-MxnrdIyArnTi+XyFLR+kt/uNAcdOnmT+879os7qDRI+EYySR4crXJq9BXPfRzzLGq0wgxkwidrCJ9WCAoacm1w==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.38.1.tgz",
"integrity": "sha512-bSHr1rRxXt54+j2n4k54p4fj8AHJ49VDWtjpImOpzQj4qjAiOpPni+V1Tyajh19Api1i844F757cur8wH3YvOA==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/types": "5.38.1",
"eslint-visitor-keys": "^3.3.0"
},
"engines": {
@@ -1856,6 +1862,14 @@
"node": ">=6.0"
}
},
"node_modules/array-find-index": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/array-find-index/-/array-find-index-1.0.2.tgz",
"integrity": "sha512-M1HQyIXcBGtVywBt8WVdim+lrNaK7VHp99Qt5pSNziXznKHViIBbXWtfRTpEFpF/c4FdfxNAsCCwPp5phBYJtw==",
"engines": {
"node": ">=0.10.0"
}
},
"node_modules/array-includes": {
"version": "3.1.5",
"resolved": "https://registry.npmjs.org/array-includes/-/array-includes-3.1.5.tgz",
@@ -2124,18 +2138,19 @@
"dev": true
},
"node_modules/cacheable-lookup": {
"version": "6.0.4",
"resolved": "https://registry.npmjs.org/cacheable-lookup/-/cacheable-lookup-6.0.4.tgz",
"integrity": "sha512-mbcDEZCkv2CZF4G01kr8eBd/5agkt9oCqz75tJMSIsquvRZ2sL6Hi5zGVKi/0OSC9oO1GHfJ2AV0ZIOY9vye0A==",
"version": "7.0.0",
"resolved": "https://registry.npmjs.org/cacheable-lookup/-/cacheable-lookup-7.0.0.tgz",
"integrity": "sha512-+qJyx4xiKra8mZrcwhjMRMUhD5NR1R8esPkzIYxX96JiecFoxAXFuz/GpR3+ev4PE1WamHip78wV0vcmPQtp8w==",
"engines": {
"node": ">=10.6.0"
"node": ">=14.16"
}
},
"node_modules/cacheable-request": {
"version": "10.1.2",
"resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-10.1.2.tgz",
"integrity": "sha512-N7F4os5ZI+8mWHSbeJmxn+qimf5uK3WU53FD1b298XLGtOLPpSA/1xAchfP4NJlDwqgaviZ0SQfxTQD0K6lr9w==",
"version": "10.2.1",
"resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-10.2.1.tgz",
"integrity": "sha512-3tLJyBjGuXw1s5gpKFSG3iS4kaKT4id04dZi98wzHQp/8cqZNweBnrF9J+rrlvrf4M53OdtDGNctNHFias8BEA==",
"dependencies": {
"@types/http-cache-semantics": "^4.0.1",
"get-stream": "^6.0.1",
"http-cache-semantics": "^4.1.0",
"keyv": "^4.5.0",
@@ -2776,13 +2791,13 @@
}
},
"node_modules/eslint": {
"version": "8.23.1",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.23.1.tgz",
"integrity": "sha512-w7C1IXCc6fNqjpuYd0yPlcTKKmHlHHktRkzmBPZ+7cvNBQuiNjx0xaMTjAJGCafJhQkrFJooREv0CtrVzmHwqg==",
"version": "8.24.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.24.0.tgz",
"integrity": "sha512-dWFaPhGhTAiPcCgm3f6LI2MBWbogMnTJzFBbhXVRQDJPkr9pGZvVjlVfXd+vyDcWPA2Ic9L2AXPIQM0+vk/cSQ==",
"dev": true,
"dependencies": {
"@eslint/eslintrc": "^1.3.2",
"@humanwhocodes/config-array": "^0.10.4",
"@humanwhocodes/config-array": "^0.10.5",
"@humanwhocodes/gitignore-to-minimatch": "^1.0.2",
"@humanwhocodes/module-importer": "^1.0.1",
"ajv": "^6.10.0",
@@ -3805,14 +3820,14 @@
}
},
"node_modules/got": {
"version": "12.5.0",
"resolved": "https://registry.npmjs.org/got/-/got-12.5.0.tgz",
"integrity": "sha512-/Bneo/L6bLN1wDyJCeRZ3CLoixvwb9v3rE3IHulFSfTHwP85xSr4QatA8K0c6GlL5+mc4IZ57BzluNZJiXvHIg==",
"version": "12.5.1",
"resolved": "https://registry.npmjs.org/got/-/got-12.5.1.tgz",
"integrity": "sha512-sD16AK8cCyUoPtKr/NMvLTFFa+T3i3S+zoiuvhq0HP2YiqBZA9AtlBjAdsQBsLBK7slPuvmfE0OxhGi7N5dD4w==",
"dependencies": {
"@sindresorhus/is": "^5.2.0",
"@szmarczak/http-timer": "^5.0.1",
"cacheable-lookup": "^6.0.4",
"cacheable-request": "^10.1.2",
"cacheable-lookup": "^7.0.0",
"cacheable-request": "^10.2.1",
"decompress-response": "^6.0.0",
"form-data-encoder": "^2.1.2",
"get-stream": "^6.0.1",
@@ -5700,9 +5715,9 @@
}
},
"node_modules/normalize-url": {
"version": "7.1.0",
"resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-7.1.0.tgz",
"integrity": "sha512-JgkdydFdLe1E5Q7DpLvKVyBZOOwXYGhIbMbOMm3lJ06XKzaiit+qo1HciO3z3IFklStfarzJHVQf9ZcNPTvZlw==",
"version": "7.2.0",
"resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-7.2.0.tgz",
"integrity": "sha512-uhXOdZry0L6M2UIo9BTt7FdpBDiAGN/7oItedQwPKh8jh31ZlvC8U9Xl/EJ3aijDHaywXTW3QbZ6LuCocur1YA==",
"engines": {
"node": ">=12.20"
},
@@ -6416,6 +6431,50 @@
"source-map": "^0.6.0"
}
},
"node_modules/spdx-compare": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/spdx-compare/-/spdx-compare-1.0.0.tgz",
"integrity": "sha512-C1mDZOX0hnu0ep9dfmuoi03+eOdDoz2yvK79RxbcrVEG1NO1Ph35yW102DHWKN4pk80nwCgeMmSY5L25VE4D9A==",
"dependencies": {
"array-find-index": "^1.0.2",
"spdx-expression-parse": "^3.0.0",
"spdx-ranges": "^2.0.0"
}
},
"node_modules/spdx-exceptions": {
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.3.0.tgz",
"integrity": "sha512-/tTrYOC7PPI1nUAgx34hUpqXuyJG+DTHJTnIULG4rDygi4xu/tfgmq1e1cIRwRzwZgo4NLySi+ricLkZkw4i5A=="
},
"node_modules/spdx-expression-parse": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz",
"integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==",
"dependencies": {
"spdx-exceptions": "^2.1.0",
"spdx-license-ids": "^3.0.0"
}
},
"node_modules/spdx-license-ids": {
"version": "3.0.12",
"resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.12.tgz",
"integrity": "sha512-rr+VVSXtRhO4OHbXUiAF7xW3Bo9DuuF6C5jH+q/x15j2jniycgKbxU09Hr0WqlSLUs4i4ltHGXqTe7VHclYWyA=="
},
"node_modules/spdx-ranges": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/spdx-ranges/-/spdx-ranges-2.1.1.tgz",
"integrity": "sha512-mcdpQFV7UDAgLpXEE/jOMqvK4LBoO0uTQg0uvXUewmEFhpiZx5yJSZITHB8w1ZahKdhfZqP5GPEOKLyEq5p8XA=="
},
"node_modules/spdx-satisfies": {
"version": "5.0.1",
"resolved": "https://registry.npmjs.org/spdx-satisfies/-/spdx-satisfies-5.0.1.tgz",
"integrity": "sha512-Nwor6W6gzFp8XX4neaKQ7ChV4wmpSh2sSDemMFSzHxpTw460jxFYeOn+jq4ybnSSw/5sc3pjka9MQPouksQNpw==",
"dependencies": {
"spdx-compare": "^1.0.0",
"spdx-expression-parse": "^3.0.0",
"spdx-ranges": "^2.0.0"
}
},
"node_modules/sprintf-js": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -6842,9 +6901,9 @@
}
},
"node_modules/typescript": {
"version": "4.8.3",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-4.8.3.tgz",
"integrity": "sha512-goMHfm00nWPa8UvR/CPSvykqf6dVV8x/dp0c5mFTMTIu0u0FlGWRioyy7Nn0PGAdHxpJZnuO/ut+PpQ8UiHAig==",
"version": "4.8.4",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-4.8.4.tgz",
"integrity": "sha512-QCh+85mCy+h0IGff8r5XWzOVSbBO+KfeYrMQh7NJ58QujwcE22u+NUSmUxqF+un70P9GXKxa2HCNiTTMJknyjQ==",
"dev": true,
"bin": {
"tsc": "bin/tsc",
@@ -7135,9 +7194,9 @@
"dev": true
},
"node_modules/yaml": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.1.1.tgz",
"integrity": "sha512-o96x3OPo8GjWeSLF+wOAbrPfhFOGY0W00GNaxCDv+9hkcDJEnev1yh8S7pgHF0ik6zc8sQLuL8hjHjJULZp8bw==",
"version": "2.1.2",
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.1.2.tgz",
"integrity": "sha512-VSdf2/K3FqAetooKQv45Hcu6sA00aDgWZeGcG6V9IYJnVLTnb6988Tie79K5nx2vK7cEpf+yW8Oy+7iPAbdiHA==",
"engines": {
"node": ">= 14"
}
@@ -7192,18 +7251,18 @@
},
"dependencies": {
"@actions/core": {
"version": "1.9.1",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
"integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
"version": "1.10.0",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
"integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
"requires": {
"@actions/http-client": "^2.0.1",
"uuid": "^8.3.2"
}
},
"@actions/github": {
"version": "5.0.3",
"resolved": "https://registry.npmjs.org/@actions/github/-/github-5.0.3.tgz",
"integrity": "sha512-myjA/pdLQfhUGLtRZC/J4L1RXOG4o6aYdiEq+zr5wVVKljzbFld+xv10k1FX6IkIJtNxbAq44BdwSNpQ015P0A==",
"version": "5.1.1",
"resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz",
"integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==",
"requires": {
"@actions/http-client": "^2.0.1",
"@octokit/core": "^3.6.0",
@@ -7705,9 +7764,9 @@
}
},
"@humanwhocodes/config-array": {
"version": "0.10.4",
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.10.4.tgz",
"integrity": "sha512-mXAIHxZT3Vcpg83opl1wGlVZ9xydbfZO3r5YfRSH6Gpp2J/PfdBP0wbDa2sO6/qRbcalpoevVyW6A/fI6LfeMw==",
"version": "0.10.5",
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.10.5.tgz",
"integrity": "sha512-XVVDtp+dVvRxMoxSiSfasYaG02VEe1qH5cKgMQJWhol6HwzbcqoCMJi8dAGoYAO57jhUyhI6cWuRiTcRaDaYug==",
"dev": true,
"requires": {
"@humanwhocodes/object-schema": "^1.2.1",
@@ -8275,6 +8334,11 @@
"@types/node": "*"
}
},
"@types/http-cache-semantics": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/@types/http-cache-semantics/-/http-cache-semantics-4.0.1.tgz",
"integrity": "sha512-SZs7ekbP8CN0txVG2xVRH6EgKmEm31BOxA07vkFaETzZz1xh+cbt8BcI0slpymvwhx5dlFnQG2rTlPVQn+iRPQ=="
},
"@types/istanbul-lib-coverage": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/@types/istanbul-lib-coverage/-/istanbul-lib-coverage-2.0.3.tgz",
@@ -8312,9 +8376,9 @@
"dev": true
},
"@types/node": {
"version": "16.11.59",
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.59.tgz",
"integrity": "sha512-6u+36Dj3aDzhfBVUf/mfmc92OEdzQ2kx2jcXGdigfl70E/neV21ZHE6UCz4MDzTRcVqGAM27fk+DLXvyDsn3Jw==",
"version": "16.11.63",
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.63.tgz",
"integrity": "sha512-3OxnrEQLBz8EIIaHpg3CibmTAEGkDBcHY4fL5cnBwg2vd2yvHrUDGWxK+MlYPeXWWIoJJW79dGtU+oeBr6166Q==",
"dev": true
},
"@types/prettier": {
@@ -8345,14 +8409,14 @@
"dev": true
},
"@typescript-eslint/eslint-plugin": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.38.0.tgz",
"integrity": "sha512-GgHi/GNuUbTOeoJiEANi0oI6fF3gBQc3bGFYj40nnAPCbhrtEDf2rjBmefFadweBmO1Du1YovHeDP2h5JLhtTQ==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.38.1.tgz",
"integrity": "sha512-ky7EFzPhqz3XlhS7vPOoMDaQnQMn+9o5ICR9CPr/6bw8HrFkzhMSxuA3gRfiJVvs7geYrSeawGJjZoZQKCOglQ==",
"dev": true,
"requires": {
"@typescript-eslint/scope-manager": "5.38.0",
"@typescript-eslint/type-utils": "5.38.0",
"@typescript-eslint/utils": "5.38.0",
"@typescript-eslint/scope-manager": "5.38.1",
"@typescript-eslint/type-utils": "5.38.1",
"@typescript-eslint/utils": "5.38.1",
"debug": "^4.3.4",
"ignore": "^5.2.0",
"regexpp": "^3.2.0",
@@ -8372,53 +8436,53 @@
}
},
"@typescript-eslint/parser": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.38.0.tgz",
"integrity": "sha512-/F63giJGLDr0ms1Cr8utDAxP2SPiglaD6V+pCOcG35P2jCqdfR7uuEhz1GIC3oy4hkUF8xA1XSXmd9hOh/a5EA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.38.1.tgz",
"integrity": "sha512-LDqxZBVFFQnQRz9rUZJhLmox+Ep5kdUmLatLQnCRR6523YV+XhRjfYzStQ4MheFA8kMAfUlclHSbu+RKdRwQKw==",
"dev": true,
"requires": {
"@typescript-eslint/scope-manager": "5.38.0",
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/typescript-estree": "5.38.0",
"@typescript-eslint/scope-manager": "5.38.1",
"@typescript-eslint/types": "5.38.1",
"@typescript-eslint/typescript-estree": "5.38.1",
"debug": "^4.3.4"
}
},
"@typescript-eslint/scope-manager": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.38.0.tgz",
"integrity": "sha512-ByhHIuNyKD9giwkkLqzezZ9y5bALW8VNY6xXcP+VxoH4JBDKjU5WNnsiD4HJdglHECdV+lyaxhvQjTUbRboiTA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.38.1.tgz",
"integrity": "sha512-BfRDq5RidVU3RbqApKmS7RFMtkyWMM50qWnDAkKgQiezRtLKsoyRKIvz1Ok5ilRWeD9IuHvaidaLxvGx/2eqTQ==",
"dev": true,
"requires": {
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/visitor-keys": "5.38.0"
"@typescript-eslint/types": "5.38.1",
"@typescript-eslint/visitor-keys": "5.38.1"
}
},
"@typescript-eslint/type-utils": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.38.0.tgz",
"integrity": "sha512-iZq5USgybUcj/lfnbuelJ0j3K9dbs1I3RICAJY9NZZpDgBYXmuUlYQGzftpQA9wC8cKgtS6DASTvF3HrXwwozA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.38.1.tgz",
"integrity": "sha512-UU3j43TM66gYtzo15ivK2ZFoDFKKP0k03MItzLdq0zV92CeGCXRfXlfQX5ILdd4/DSpHkSjIgLLLh1NtkOJOAw==",
"dev": true,
"requires": {
"@typescript-eslint/typescript-estree": "5.38.0",
"@typescript-eslint/utils": "5.38.0",
"@typescript-eslint/typescript-estree": "5.38.1",
"@typescript-eslint/utils": "5.38.1",
"debug": "^4.3.4",
"tsutils": "^3.21.0"
}
},
"@typescript-eslint/types": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.38.0.tgz",
"integrity": "sha512-HHu4yMjJ7i3Cb+8NUuRCdOGu2VMkfmKyIJsOr9PfkBVYLYrtMCK/Ap50Rpov+iKpxDTfnqvDbuPLgBE5FwUNfA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.38.1.tgz",
"integrity": "sha512-QTW1iHq1Tffp9lNfbfPm4WJabbvpyaehQ0SrvVK2yfV79SytD9XDVxqiPvdrv2LK7DGSFo91TB2FgWanbJAZXg==",
"dev": true
},
"@typescript-eslint/typescript-estree": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.38.0.tgz",
"integrity": "sha512-6P0RuphkR+UuV7Avv7MU3hFoWaGcrgOdi8eTe1NwhMp2/GjUJoODBTRWzlHpZh6lFOaPmSvgxGlROa0Sg5Zbyg==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.38.1.tgz",
"integrity": "sha512-99b5e/Enoe8fKMLdSuwrfH/C0EIbpUWmeEKHmQlGZb8msY33qn1KlkFww0z26o5Omx7EVjzVDCWEfrfCDHfE7g==",
"dev": true,
"requires": {
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/visitor-keys": "5.38.0",
"@typescript-eslint/types": "5.38.1",
"@typescript-eslint/visitor-keys": "5.38.1",
"debug": "^4.3.4",
"globby": "^11.1.0",
"is-glob": "^4.0.3",
@@ -8438,26 +8502,26 @@
}
},
"@typescript-eslint/utils": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.38.0.tgz",
"integrity": "sha512-6sdeYaBgk9Fh7N2unEXGz+D+som2QCQGPAf1SxrkEr+Z32gMreQ0rparXTNGRRfYUWk/JzbGdcM8NSSd6oqnTA==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.38.1.tgz",
"integrity": "sha512-oIuUiVxPBsndrN81oP8tXnFa/+EcZ03qLqPDfSZ5xIJVm7A9V0rlkQwwBOAGtrdN70ZKDlKv+l1BeT4eSFxwXA==",
"dev": true,
"requires": {
"@types/json-schema": "^7.0.9",
"@typescript-eslint/scope-manager": "5.38.0",
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/typescript-estree": "5.38.0",
"@typescript-eslint/scope-manager": "5.38.1",
"@typescript-eslint/types": "5.38.1",
"@typescript-eslint/typescript-estree": "5.38.1",
"eslint-scope": "^5.1.1",
"eslint-utils": "^3.0.0"
}
},
"@typescript-eslint/visitor-keys": {
"version": "5.38.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.38.0.tgz",
"integrity": "sha512-MxnrdIyArnTi+XyFLR+kt/uNAcdOnmT+879os7qDRI+EYySR4crXJq9BXPfRzzLGq0wgxkwidrCJ9WCAoacm1w==",
"version": "5.38.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.38.1.tgz",
"integrity": "sha512-bSHr1rRxXt54+j2n4k54p4fj8AHJ49VDWtjpImOpzQj4qjAiOpPni+V1Tyajh19Api1i844F757cur8wH3YvOA==",
"dev": true,
"requires": {
"@typescript-eslint/types": "5.38.0",
"@typescript-eslint/types": "5.38.1",
"eslint-visitor-keys": "^3.3.0"
}
},
@@ -8591,6 +8655,11 @@
"@babel/runtime-corejs3": "^7.10.2"
}
},
"array-find-index": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/array-find-index/-/array-find-index-1.0.2.tgz",
"integrity": "sha512-M1HQyIXcBGtVywBt8WVdim+lrNaK7VHp99Qt5pSNziXznKHViIBbXWtfRTpEFpF/c4FdfxNAsCCwPp5phBYJtw=="
},
"array-includes": {
"version": "3.1.5",
"resolved": "https://registry.npmjs.org/array-includes/-/array-includes-3.1.5.tgz",
@@ -8801,15 +8870,16 @@
"dev": true
},
"cacheable-lookup": {
"version": "6.0.4",
"resolved": "https://registry.npmjs.org/cacheable-lookup/-/cacheable-lookup-6.0.4.tgz",
"integrity": "sha512-mbcDEZCkv2CZF4G01kr8eBd/5agkt9oCqz75tJMSIsquvRZ2sL6Hi5zGVKi/0OSC9oO1GHfJ2AV0ZIOY9vye0A=="
"version": "7.0.0",
"resolved": "https://registry.npmjs.org/cacheable-lookup/-/cacheable-lookup-7.0.0.tgz",
"integrity": "sha512-+qJyx4xiKra8mZrcwhjMRMUhD5NR1R8esPkzIYxX96JiecFoxAXFuz/GpR3+ev4PE1WamHip78wV0vcmPQtp8w=="
},
"cacheable-request": {
"version": "10.1.2",
"resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-10.1.2.tgz",
"integrity": "sha512-N7F4os5ZI+8mWHSbeJmxn+qimf5uK3WU53FD1b298XLGtOLPpSA/1xAchfP4NJlDwqgaviZ0SQfxTQD0K6lr9w==",
"version": "10.2.1",
"resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-10.2.1.tgz",
"integrity": "sha512-3tLJyBjGuXw1s5gpKFSG3iS4kaKT4id04dZi98wzHQp/8cqZNweBnrF9J+rrlvrf4M53OdtDGNctNHFias8BEA==",
"requires": {
"@types/http-cache-semantics": "^4.0.1",
"get-stream": "^6.0.1",
"http-cache-semantics": "^4.1.0",
"keyv": "^4.5.0",
@@ -9287,13 +9357,13 @@
}
},
"eslint": {
"version": "8.23.1",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.23.1.tgz",
"integrity": "sha512-w7C1IXCc6fNqjpuYd0yPlcTKKmHlHHktRkzmBPZ+7cvNBQuiNjx0xaMTjAJGCafJhQkrFJooREv0CtrVzmHwqg==",
"version": "8.24.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.24.0.tgz",
"integrity": "sha512-dWFaPhGhTAiPcCgm3f6LI2MBWbogMnTJzFBbhXVRQDJPkr9pGZvVjlVfXd+vyDcWPA2Ic9L2AXPIQM0+vk/cSQ==",
"dev": true,
"requires": {
"@eslint/eslintrc": "^1.3.2",
"@humanwhocodes/config-array": "^0.10.4",
"@humanwhocodes/config-array": "^0.10.5",
"@humanwhocodes/gitignore-to-minimatch": "^1.0.2",
"@humanwhocodes/module-importer": "^1.0.1",
"ajv": "^6.10.0",
@@ -10044,14 +10114,14 @@
}
},
"got": {
"version": "12.5.0",
"resolved": "https://registry.npmjs.org/got/-/got-12.5.0.tgz",
"integrity": "sha512-/Bneo/L6bLN1wDyJCeRZ3CLoixvwb9v3rE3IHulFSfTHwP85xSr4QatA8K0c6GlL5+mc4IZ57BzluNZJiXvHIg==",
"version": "12.5.1",
"resolved": "https://registry.npmjs.org/got/-/got-12.5.1.tgz",
"integrity": "sha512-sD16AK8cCyUoPtKr/NMvLTFFa+T3i3S+zoiuvhq0HP2YiqBZA9AtlBjAdsQBsLBK7slPuvmfE0OxhGi7N5dD4w==",
"requires": {
"@sindresorhus/is": "^5.2.0",
"@szmarczak/http-timer": "^5.0.1",
"cacheable-lookup": "^6.0.4",
"cacheable-request": "^10.1.2",
"cacheable-lookup": "^7.0.0",
"cacheable-request": "^10.2.1",
"decompress-response": "^6.0.0",
"form-data-encoder": "^2.1.2",
"get-stream": "^6.0.1",
@@ -11481,9 +11551,9 @@
"dev": true
},
"normalize-url": {
"version": "7.1.0",
"resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-7.1.0.tgz",
"integrity": "sha512-JgkdydFdLe1E5Q7DpLvKVyBZOOwXYGhIbMbOMm3lJ06XKzaiit+qo1HciO3z3IFklStfarzJHVQf9ZcNPTvZlw=="
"version": "7.2.0",
"resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-7.2.0.tgz",
"integrity": "sha512-uhXOdZry0L6M2UIo9BTt7FdpBDiAGN/7oItedQwPKh8jh31ZlvC8U9Xl/EJ3aijDHaywXTW3QbZ6LuCocur1YA=="
},
"npm-run-path": {
"version": "4.0.1",
@@ -11982,6 +12052,50 @@
"source-map": "^0.6.0"
}
},
"spdx-compare": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/spdx-compare/-/spdx-compare-1.0.0.tgz",
"integrity": "sha512-C1mDZOX0hnu0ep9dfmuoi03+eOdDoz2yvK79RxbcrVEG1NO1Ph35yW102DHWKN4pk80nwCgeMmSY5L25VE4D9A==",
"requires": {
"array-find-index": "^1.0.2",
"spdx-expression-parse": "^3.0.0",
"spdx-ranges": "^2.0.0"
}
},
"spdx-exceptions": {
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.3.0.tgz",
"integrity": "sha512-/tTrYOC7PPI1nUAgx34hUpqXuyJG+DTHJTnIULG4rDygi4xu/tfgmq1e1cIRwRzwZgo4NLySi+ricLkZkw4i5A=="
},
"spdx-expression-parse": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz",
"integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==",
"requires": {
"spdx-exceptions": "^2.1.0",
"spdx-license-ids": "^3.0.0"
}
},
"spdx-license-ids": {
"version": "3.0.12",
"resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.12.tgz",
"integrity": "sha512-rr+VVSXtRhO4OHbXUiAF7xW3Bo9DuuF6C5jH+q/x15j2jniycgKbxU09Hr0WqlSLUs4i4ltHGXqTe7VHclYWyA=="
},
"spdx-ranges": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/spdx-ranges/-/spdx-ranges-2.1.1.tgz",
"integrity": "sha512-mcdpQFV7UDAgLpXEE/jOMqvK4LBoO0uTQg0uvXUewmEFhpiZx5yJSZITHB8w1ZahKdhfZqP5GPEOKLyEq5p8XA=="
},
"spdx-satisfies": {
"version": "5.0.1",
"resolved": "https://registry.npmjs.org/spdx-satisfies/-/spdx-satisfies-5.0.1.tgz",
"integrity": "sha512-Nwor6W6gzFp8XX4neaKQ7ChV4wmpSh2sSDemMFSzHxpTw460jxFYeOn+jq4ybnSSw/5sc3pjka9MQPouksQNpw==",
"requires": {
"spdx-compare": "^1.0.0",
"spdx-expression-parse": "^3.0.0",
"spdx-ranges": "^2.0.0"
}
},
"sprintf-js": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -12290,9 +12404,9 @@
}
},
"typescript": {
"version": "4.8.3",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-4.8.3.tgz",
"integrity": "sha512-goMHfm00nWPa8UvR/CPSvykqf6dVV8x/dp0c5mFTMTIu0u0FlGWRioyy7Nn0PGAdHxpJZnuO/ut+PpQ8UiHAig==",
"version": "4.8.4",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-4.8.4.tgz",
"integrity": "sha512-QCh+85mCy+h0IGff8r5XWzOVSbBO+KfeYrMQh7NJ58QujwcE22u+NUSmUxqF+un70P9GXKxa2HCNiTTMJknyjQ==",
"dev": true
},
"unbox-primitive": {
@@ -12515,9 +12629,9 @@
"dev": true
},
"yaml": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.1.1.tgz",
"integrity": "sha512-o96x3OPo8GjWeSLF+wOAbrPfhFOGY0W00GNaxCDv+9hkcDJEnev1yh8S7pgHF0ik6zc8sQLuL8hjHjJULZp8bw=="
"version": "2.1.2",
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.1.2.tgz",
"integrity": "sha512-VSdf2/K3FqAetooKQv45Hcu6sA00aDgWZeGcG6V9IYJnVLTnb6988Tie79K5nx2vK7cEpf+yW8Oy+7iPAbdiHA=="
},
"yargs": {
"version": "16.2.0",
+11 -10
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "2.2.0",
"version": "2.4.0",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,23 +25,24 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.9.1",
"@actions/github": "^5.0.3",
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/request-error": "^3.0.1",
"ansi-styles": "^6.1.1",
"got": "^12.5.0",
"got": "^12.5.1",
"nodemon": "^2.0.20",
"yaml": "^2.1.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.1.2",
"zod": "^3.19.1"
},
"devDependencies": {
"@types/node": "^16.11.59",
"@typescript-eslint/eslint-plugin": "^5.38.0",
"@typescript-eslint/parser": "^5.38.0",
"@types/node": "^16.11.63",
"@typescript-eslint/eslint-plugin": "^5.38.1",
"@typescript-eslint/parser": "^5.38.1",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.23.1",
"eslint": "^8.24.0",
"eslint-plugin-github": "^4.3.7",
"eslint-plugin-jest": "^27.0.4",
"jest": "^27.5.1",
@@ -49,6 +50,6 @@
"nodemon": "^2.0.20",
"prettier": "2.7.1",
"ts-jest": "^27.1.4",
"typescript": "^4.8.3"
"typescript": "^4.8.4"
}
}
+56 -9
View File
@@ -1,6 +1,14 @@
import * as fs from 'fs'
import path from 'path'
import YAML from 'yaml'
import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, SEVERITIES, SCOPES} from './schemas'
import {
ConfigurationOptions,
ConfigurationOptionsSchema,
SeveritySchema,
SCOPES
} from './schemas'
function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name)
@@ -16,30 +24,69 @@ function parseList(list: string | undefined): string[] | undefined {
}
export function readConfig(): ConfigurationOptions {
const fail_on_severity = z
.enum(SEVERITIES)
.default('low')
.parse(getOptionalInput('fail-on-severity'))
const externalConfig = getOptionalInput('config-file')
if (externalConfig !== undefined) {
const config = readConfigFile(externalConfig)
// the reasoning behind reading the inline config when an external
// config file is provided is that we still want to allow users to
// pass inline options in the presence of an external config file.
const inlineConfig = readInlineConfig()
// the external config takes precedence
return Object.assign({}, inlineConfig, config)
} else {
return readInlineConfig()
}
}
export function readInlineConfig(): ConfigurationOptions {
const fail_on_severity = SeveritySchema.parse(
getOptionalInput('fail-on-severity')
)
const fail_on_scopes = z
.array(z.enum(SCOPES))
.default(['runtime'])
.parse(parseList(getOptionalInput('fail-on-scopes')))
const allow_licenses = getOptionalInput('allow-licenses')
const deny_licenses = getOptionalInput('deny-licenses')
const allow_licenses = parseList(getOptionalInput('allow-licenses'))
const deny_licenses = parseList(getOptionalInput('deny-licenses'))
if (allow_licenses !== undefined && deny_licenses !== undefined) {
throw new Error("Can't specify both allow_licenses and deny_licenses")
}
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
return {
fail_on_severity,
fail_on_scopes,
allow_licenses: parseList(allow_licenses),
deny_licenses: parseList(deny_licenses),
allow_licenses,
deny_licenses,
allow_ghsas,
base_ref,
head_ref
}
}
export function readConfigFile(filePath: string): ConfigurationOptions {
let data
try {
data = fs.readFileSync(path.resolve(filePath), 'utf-8')
} catch (error: unknown) {
throw error
}
data = YAML.parse(data)
// get rid of the ugly dashes from the actions conventions
for (const key of Object.keys(data)) {
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
delete data[key]
}
}
const values = ConfigurationOptionsSchema.parse(data)
return values
}
+37 -1
View File
@@ -35,9 +35,13 @@ export function filterChangesBySeverity(
}
export function filterChangesByScopes(
scopes: Scope[],
scopes: Scope[] | undefined,
changes: Changes
): Changes {
if (scopes === undefined) {
return []
}
const filteredChanges = changes.filter(change => {
// if there is no scope on the change (Enterprise Server API for now), we will assume it is a runtime scope
const scope = change.scope || 'runtime'
@@ -46,3 +50,35 @@ export function filterChangesByScopes(
return filteredChanges
}
export function filterOutAllowedAdvisories(
ghsas: string[] | undefined,
changes: Changes
): Changes {
if (ghsas === undefined) {
return []
}
const filteredChanges = changes.filter(change => {
const noAdvisories =
change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0
if (noAdvisories) {
return true
}
let allAllowedAdvisories = true
// if there's at least one advisory that is not allowlisted, we will keep the change
for (const vulnerability of change.vulnerabilities) {
if (!ghsas.includes(vulnerability.advisory_ghsa_id)) {
allAllowedAdvisories = false
}
if (!allAllowedAdvisories) {
return true
}
}
})
return filteredChanges
}
+112 -53
View File
@@ -3,13 +3,19 @@ import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, Severity, Scope} from './schemas'
import {Change, Severity, Changes} from './schemas'
import {readConfig} from '../src/config'
import {filterChangesBySeverity, filterChangesByScopes} from '../src/filter'
import {
filterChangesBySeverity,
filterChangesByScopes,
filterOutAllowedAdvisories
} from '../src/filter'
import {getDeniedLicenseChanges} from './licenses'
import * as summary from './summary'
import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
async function run(): Promise<void> {
try {
const config = readConfig()
@@ -22,21 +28,16 @@ async function run(): Promise<void> {
headRef: refs.head
})
const minSeverity = config.fail_on_severity
let failed = false
const licenses = {
allow: config.allow_licenses,
deny: config.deny_licenses
}
const scopes = config.fail_on_scopes
const scopedChanges = filterChangesByScopes(scopes as Scope[], changes)
const minSeverity = config.fail_on_severity as Severity
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
const filteredChanges = filterOutAllowedAdvisories(
config.allow_ghsas,
scopedChanges
)
const addedChanges = filterChangesBySeverity(
minSeverity as Severity,
scopedChanges
minSeverity,
filteredChanges
).filter(
change =>
change.change_type === 'added' &&
@@ -45,37 +46,21 @@ async function run(): Promise<void> {
)
const [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
scopedChanges,
licenses
filteredChanges,
{
allow: config.allow_licenses,
deny: config.deny_licenses
}
)
summary.addSummaryToSummary(addedChanges, licenseErrors, unknownLicenses)
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
failed = true
}
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity || '')
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors)
core.setFailed('Dependency review detected incompatible licenses.')
}
printNullLicenses(unknownLicenses)
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
summary.addLicensesToSummary(licenseErrors, unknownLicenses, config)
summary.addScannedDependencies(changes)
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
printVulnerabilitiesBlock(addedChanges, minSeverity)
printLicensesBlock(licenseErrors, unknownLicenses)
printScannedDependencies(changes)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
@@ -97,6 +82,29 @@ async function run(): Promise<void> {
}
}
function printVulnerabilitiesBlock(
addedChanges: Change[],
minSeverity: Severity
): void {
let failed = false
core.group('Vulnerabilities', async () => {
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
failed = true
}
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
})
}
function printChangeVulnerabilities(change: Change): void {
for (const vuln of change.vulnerabilities) {
core.info(
@@ -110,18 +118,17 @@ function printChangeVulnerabilities(change: Change): void {
}
}
function renderSeverity(
severity: 'critical' | 'high' | 'moderate' | 'low'
): string {
const color = (
{
critical: 'red',
high: 'red',
moderate: 'yellow',
low: 'grey'
} as const
)[severity]
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
function printLicensesBlock(
licenseErrors: Change[],
unknownLicenses: Change[]
): void {
core.group('Licenses', async () => {
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors)
core.setFailed('Dependency review detected incompatible licenses.')
}
printNullLicenses(unknownLicenses)
})
}
function printLicensesError(changes: Change[]): void {
@@ -150,4 +157,56 @@ function printNullLicenses(changes: Change[]): void {
}
}
function renderSeverity(
severity: 'critical' | 'high' | 'moderate' | 'low'
): string {
const color = (
{
critical: 'red',
high: 'red',
moderate: 'yellow',
low: 'grey'
} as const
)[severity]
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
}
function renderScannedDependency(change: Change): string {
const changeType: string = change.change_type
if (changeType !== 'added' && changeType !== 'removed') {
throw new Error(`Unexpected change type: ${changeType}`)
}
const color = (
{
added: 'green',
removed: 'red'
} as const
)[changeType]
const icon = (
{
added: '+',
removed: '-'
} as const
)[changeType]
return `${styles.color[color].open}${icon} ${change.manifest}@${change.version}${styles.color[color].close}`
}
function printScannedDependencies(changes: Changes): void {
core.group('Dependency Changes', async () => {
const dependencies = groupDependenciesByManifest(changes)
for (const manifestName of dependencies.keys()) {
const manifestChanges = dependencies.get(manifestName) || []
core.info(`File: ${styles.bold.open}${manifestName}${styles.bold.close}`)
for (const change of manifestChanges) {
core.info(`${renderScannedDependency(change)}`)
}
}
})
}
run()
+7 -3
View File
@@ -3,6 +3,8 @@ import * as z from 'zod'
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
export const SCOPES = ['unknown', 'runtime', 'development'] as const
export const SeveritySchema = z.enum(SEVERITIES).default('low')
export const ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
manifest: z.string(),
@@ -16,7 +18,7 @@ export const ChangeSchema = z.object({
vulnerabilities: z
.array(
z.object({
severity: z.enum(SEVERITIES),
severity: SeveritySchema,
advisory_ghsa_id: z.string(),
advisory_summary: z.string(),
advisory_url: z.string()
@@ -34,10 +36,12 @@ export const PullRequestSchema = z.object({
export const ConfigurationOptionsSchema = z
.object({
fail_on_severity: z.enum(SEVERITIES).default('low'),
fail_on_severity: SeveritySchema,
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).default([]),
deny_licenses: z.array(z.string()).default([]),
allow_ghsas: z.array(z.string()).default([]),
config_file: z.string().optional().default('false'),
base_ref: z.string(),
head_ref: z.string()
})
@@ -52,5 +56,5 @@ export const ChangesSchema = z.array(ChangeSchema)
export type Change = z.infer<typeof ChangeSchema>
export type Changes = z.infer<typeof ChangesSchema>
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
export type Severity = typeof SEVERITIES[number]
export type Severity = z.infer<typeof SeveritySchema>
export type Scope = typeof SCOPES[number]
+19 -11
View File
@@ -1,6 +1,7 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Change, Changes} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
export function addSummaryToSummary(
addedPackages: Changes,
@@ -20,7 +21,7 @@ export function addChangeVulnerabilitiesToSummary(
): void {
const rows: SummaryTableRow[] = []
const manifests = getManifests(addedPackages)
const manifests = getManifestsSet(addedPackages)
core.summary
.addHeading('Vulnerabilities')
@@ -99,7 +100,7 @@ export function addLicensesToSummary(
if (licenseErrors.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifests(licenseErrors)
const manifests = getManifestsSet(licenseErrors)
core.summary.addHeading('Incompatible Licenses', 3).addSeparator()
@@ -125,7 +126,7 @@ export function addLicensesToSummary(
if (unknownLicenses.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifests(unknownLicenses)
const manifests = getManifestsSet(unknownLicenses)
core.debug(
`found ${manifests.entries.length} manifests for unknown licenses`
@@ -150,14 +151,21 @@ export function addLicensesToSummary(
}
}
function getManifests(changes: Changes): Set<string> {
return new Set(changes.flatMap(c => c.manifest))
}
export function addScannedDependencies(changes: Changes): void {
const dependencies = groupDependenciesByManifest(changes)
const manifests = dependencies.keys()
function renderUrl(url: string | null, text: string): string {
if (url) {
return `<a href="${url}">${text}</a>`
} else {
return text
const summary = core.summary
.addHeading('Scanned Dependencies')
.addRaw(`We scanned ${dependencies.size} manifest files:`)
for (const manifest of manifests) {
const deps = dependencies.get(manifest)
if (deps) {
const dependencyNames = deps.map(
dependency => `<li>${dependency.name}@${dependency.version}</li>`
)
summary.addRaw(`<h3>${manifest}</h3><ul>${dependencyNames.join('')}</ul>`)
}
}
}
+30
View File
@@ -0,0 +1,30 @@
import {Changes} from './schemas'
export function groupDependenciesByManifest(
changes: Changes
): Map<string, Changes> {
const dependencies: Map<string, Changes> = new Map()
for (const change of changes) {
const manifestName = change.manifest
if (dependencies.get(manifestName) === undefined) {
dependencies.set(manifestName, [])
}
dependencies.get(manifestName)?.push(change)
}
return dependencies
}
export function getManifestsSet(changes: Changes): Set<string> {
return new Set(changes.flatMap(c => c.manifest))
}
export function renderUrl(url: string | null, text: string): string {
if (url) {
return `<a href="${url}">${text}</a>`
} else {
return text
}
}