Compare commits

...

27 Commits

Author SHA1 Message Date
Eric Sorenson 05fe457637 Merge pull request #1054 from actions/ahpook/release-4.8.3
Changes for Release 4.8.3
2026-02-19 17:25:10 -08:00
Eric Sorenson 3a8496cb71 Update generated package files for v4.8.3 2026-02-18 21:56:46 -08:00
Eric Sorenson 0f22a01592 Update CONTRIBUTING for new release process
Fixes some newline damage, grammatical errors, and includes new instructions for pushing a major version branch instead of force-pushing a tag.
2026-02-18 21:54:45 -08:00
Eric Sorenson 58be34364d Updating package versions for 4.8.3 2026-02-18 21:45:59 -08:00
Eric Sorenson 9284e0c621 Merge pull request #931 from actions/dependabot/npm_and_yarn/spdx-licenses-208b55449f
Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory
2026-02-18 21:31:42 -08:00
dependabot[bot] 8b766562f0 Bump spdx-expression-parse in the spdx-licenses group across 1 directory
Bumps the spdx-licenses group with 1 update in the / directory: [spdx-expression-parse](https://github.com/jslicense/spdx-expression-parse.js).


Updates `spdx-expression-parse` from 3.0.1 to 4.0.0
- [Commits](https://github.com/jslicense/spdx-expression-parse.js/compare/v3.0.1...v4.0.0)

---
updated-dependencies:
- dependency-name: spdx-expression-parse
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: spdx-licenses
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-19 05:22:14 +00:00
Eric Sorenson 43f5f029f5 Merge pull request #1052 from actions/juxtin/fix-long-summaries
Properly truncate long summaries and catch errors
2026-02-18 21:18:45 -08:00
Eric Sorenson f0033fc4d6 Merge pull request #1053 from actions/dependabot/npm_and_yarn/fast-xml-parser-5.3.6
Bump fast-xml-parser from 5.3.5 to 5.3.6
2026-02-18 08:49:06 -08:00
dependabot[bot] b379e2e05f Bump fast-xml-parser from 5.3.5 to 5.3.6
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.5 to 5.3.6.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.5...v5.3.6)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.3.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-18 05:07:50 +00:00
Justin Holguín 2e1cf54a50 Properly truncate long summaries and catch errors 2026-02-17 22:46:59 +00:00
Lewis Jones 68e9887ce6 Merge pull request #1050 from actions/dependabot/npm_and_yarn/fast-xml-parser-5.3.5
Bump fast-xml-parser from 5.3.3 to 5.3.5
2026-02-17 15:10:48 +00:00
dependabot[bot] a7c7f3b9b1 Bump fast-xml-parser from 5.3.3 to 5.3.5
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.3 to 5.3.5.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.3.3...v5.3.5)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.3.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-11 19:21:05 +00:00
Ahmed ElMallah 98884d411b Merge pull request #1036 from actions/ae/vuln-fixes
Addressing vulnerabilities
2026-01-06 08:12:33 -08:00
ahmed3lmallah 76bfce5cd7 optimize import 2026-01-05 15:50:21 -08:00
ahmed3lmallah d45151f498 Addressing vulnerabilities 2026-01-05 15:39:34 -08:00
Barry Gordon 774d14bf50 Merge pull request #1020 from actions/dependabot/npm_and_yarn/multi-75e6bc5210
Bump js-yaml
2025-11-28 12:56:19 +00:00
Barry Gordon 20b998d4e2 Merge pull request #1024 from actions/brrygrdn/update-glob
Upgrade glob to address a vulnerability
2025-11-28 11:46:08 +00:00
Barry Gordon ad048f729f Upgrade glob to a fixed version 2025-11-27 18:26:19 +00:00
Barry Gordon 35ccfd2548 Merge pull request #1005 from actions/dependabot/github_actions/actions/setup-node-6
Bump actions/setup-node from 4 to 6
2025-11-27 18:19:46 +00:00
Barry Gordon a2014a181b Merge pull request #1003 from actions/dependabot/github_actions/github/codeql-action-4
Bump github/codeql-action from 3 to 4
2025-11-27 18:19:21 +00:00
Barry Gordon 1a0268586f Merge pull request #995 from actions/dependabot/github_actions/actions/stale-10.1.0
Bump actions/stale from 9.1.0 to 10.1.0
2025-11-27 18:18:38 +00:00
dependabot[bot] 14edcb1b2a Bump js-yaml
Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 3.14.2 and updates ancestor dependency . These dependencies need to be updated together.


Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-17 22:03:38 +00:00
dependabot[bot] 805c0b2856 Bump actions/setup-node from 4 to 6
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-11 00:20:49 +00:00
Kevin Dangoor 125b995082 Merge pull request #1017 from actions/remove-non-working-workflow
GitHub Actions can't push to our protected main
2025-11-10 19:16:56 -05:00
Kevin Dangoor 289863a7c4 GitHub Actions can't push to our protected main
Our main branch is protected, which means that our Actions workflow
cannot push changes directly to main. This removes the non-functional
workflow.
2025-11-10 17:46:39 -05:00
dependabot[bot] 0f943b29ae Bump github/codeql-action from 3 to 4
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-13 01:01:57 +00:00
dependabot[bot] 2440f520c8 Bump actions/stale from 9.1.0 to 10.1.0
Bumps [actions/stale](https://github.com/actions/stale) from 9.1.0 to 10.1.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/v9.1.0...v10.1.0)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-version: 10.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-06 01:01:54 +00:00
12 changed files with 5470 additions and 7243 deletions
-51
View File
@@ -1,51 +0,0 @@
name: CI-update-dist
on:
workflow_dispatch:
push:
branches:
- 'main'
paths-ignore:
- 'dist/**'
permissions:
contents: read
jobs:
update-dist:
# Only run for the original DRA repository; otherwise when users create pull requests from their `main` branch
# it would erroneously update `dist` on their branch (and the pull request)
if: github.repository == 'actions/dependency-review-action'
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: 20
cache: npm
- name: Install npm dependencies
run: |
npm clean-install
- name: Build distribution
run: |
npm run build
npm run package
# Commit and push changes; has no effect if the files did not change
# Important: The push event will not trigger any other workflows, see
# https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
- name: Commit & push changes
uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
with:
commit_author: 'github-actions[bot] <github-actions[bot]@users.noreply.github.com>'
commit_user_name: 'github-actions[bot]'
commit_user_email: 'github-actions[bot]@users.noreply.github.com'
commit_message: '[bot] Update dist directory [skip ci]'
file_pattern: 'dist/'
+2 -2
View File
@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
@@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
+2 -2
View File
@@ -28,7 +28,7 @@ jobs:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -43,6 +43,6 @@ jobs:
- dist/sourcemap-register.js
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
+1 -1
View File
@@ -12,7 +12,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9.1.0
- uses: actions/stale@v10.1.0
name: Clean up stale PRs and Issues
with:
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
+19 -24
View File
@@ -50,8 +50,7 @@ Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed,
#### Manually testing for vulnerabilities
We have a script to scan a given PR for vulnerabilities, this will
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
We have a script to scan a given PR for vulnerabilities, which will help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
<img width="480" alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
@@ -106,38 +105,34 @@ Here are a few things you can do that will increase the likelihood of your pull
_Note: these instructions are for maintainers_
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
1. Update the dist files by running `npm run build` and `npm run package`
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
1. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
- Create a local branch based on the `main` of the upstream repo.
- Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
- Update the dist files by running `npm run build` and `npm run package`
- Go to [Draft a new release](https://github.com/actions/dependency-review-action/releases/new) in the Releases page.
- Make sure that the `Publish this Action to the GitHub Marketplace` checkbox is enabled
<img width="481" alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
3. Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
4. Use a version number for the release title (e.g. "1.2.3").
- Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
- Use a version number for the release title (e.g. "1.2.3").
<img width="700" alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
5. Add your release notes. If this is a major version make sure to
include a small description of the biggest changes in the new version.
6. Click "Publish Release".
- Add your release notes. If this is a major version make sure to include details about any breaking changes in the new version.
- Click "Publish Release".
You now have a tag and release using the semver version you used
above. The last remaining thing to do is to move the dynamic version
identifier to match the current SHA. This allows users to adopt a
major version number (e.g. `v1`) in their workflows while
automatically getting all the
minor/patch updates.
You now have a tag and release using the semver version you used above. The last remaining thing to do is to update the major version branch to match the current release. This allows users to adopt a major version number (e.g. `v4`) in their workflows while automatically getting all the minor/patch updates.
To do this just checkout `main`, force-create a new annotated tag, and push it:
As of v4.8.3, we use a **branch** (not a force-pushed tag) for the major version pointer. This is important because force-pushing tags breaks GitHub's auto-generated release changelog links (see [#1035](https://github.com/actions/dependency-review-action/issues/1035)) and violates git's (unenforced) expectation that tags are immutable.
To update the major version branch:
```
git tag -fa v4 -m "Updating v4 to 4.0.1"
git push origin v4 --force
git checkout main
git pull origin main
git branch -f v4 HEAD
git push origin v4
```
</details>
+14 -3
View File
@@ -132,9 +132,13 @@ describe('handleLargeSummary', () => {
expect(result).toContain('actions/runs/12345')
})
test('returns original summary and logs a warning when artifact handling fails', async () => {
test('returns truncated summary and replaces buffer when artifact upload fails', async () => {
const warningMock = core.warning as jest.Mock
const emptyBufferMock = core.summary.emptyBuffer as jest.Mock
const addRawMock = core.summary.addRaw as jest.Mock
warningMock.mockClear()
emptyBufferMock.mockClear()
addRawMock.mockClear()
const largeSummary = 'b'.repeat(1024 * 1024 + 1)
DefaultArtifactClientMock.mockImplementation(() => ({
@@ -145,9 +149,16 @@ describe('handleLargeSummary', () => {
const result = await handleLargeSummary(largeSummary)
expect(result).toBe(largeSummary)
// Should NOT return the original oversized content
expect(result).not.toBe(largeSummary)
// Should return a truncated summary
expect(result).toContain('Dependency Review Summary')
expect(result).toContain('too large to display')
// Should replace the core.summary buffer to prevent write() from failing
expect(emptyBufferMock).toHaveBeenCalled()
expect(addRawMock).toHaveBeenCalledWith(result)
expect(warningMock).toHaveBeenCalledWith(
expect.stringContaining('Failed to handle large summary')
expect.stringContaining('Failed to upload large summary as artifact')
)
})
})
Generated Vendored
+4824 -6813
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+21 -105
View File
@@ -360,6 +360,27 @@ SOFTWARE.
@azure/storage-common
MIT
The MIT License (MIT)
Copyright (c) 2018 Microsoft
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@fastify/busboy
MIT
@@ -1245,16 +1266,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@vercel/ncc
MIT
Copyright 2018 ZEIT, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
abort-controller
MIT
MIT License
@@ -2937,31 +2948,6 @@ PERFORMANCE OF THIS SOFTWARE.
is-plain-object
MIT
The MIT License (MIT)
Copyright (c) 2014-2017, Jon Schlinkert.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
is-stream
MIT
MIT License
@@ -3537,32 +3523,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
node-fetch
MIT
The MIT License (MIT)
Copyright (c) 2016 David Frank
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
normalize-path
MIT
The MIT License (MIT)
@@ -4441,9 +4401,6 @@ Apache-2.0
limitations under the License.
tr46
MIT
traverse
MIT/X11
Copyright 2010 James Halliday (mail@substack.net)
@@ -4626,47 +4583,6 @@ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
webidl-conversions
BSD-2-Clause
# The BSD 2-Clause License
Copyright (c) 2014, Domenic Denicola
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
whatwg-url
MIT
The MIT License (MIT)
Copyright (c) 20152016 Sebastian Mayr
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
wrappy
ISC
The ISC License
+556 -229
View File
File diff suppressed because it is too large Load Diff
+5 -5
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "4.8.2",
"version": "4.8.3",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,7 +25,7 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/artifact": "^2.3.2",
"@actions/artifact": "^5.0.1",
"@actions/core": "^1.11.1",
"@actions/github": "^6.0.1",
"@octokit/plugin-retry": "^6.1.0",
@@ -36,7 +36,7 @@
"got": "^14.4.7",
"jest": "^29.7.0",
"octokit": "^3.1.2",
"spdx-expression-parse": "^3.0.1",
"spdx-expression-parse": "^4.0.0",
"spdx-satisfies": "^6.0.0",
"ts-jest": "^29.4.1",
"yaml": "^2.8.1",
@@ -54,7 +54,7 @@
"eslint-plugin-github": "^4.10.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-prettier": "^5.5.4",
"js-yaml": "^4.1.0",
"js-yaml": "^4.1.1",
"nodemon": "^3.1.10",
"prettier": "3.6.2",
"typescript": "^5.9.2"
@@ -63,4 +63,4 @@
"cross-spawn": ">=7.0.5",
"@octokit/request-error@5.0.1": "5.1.1"
}
}
}
+25 -7
View File
@@ -24,7 +24,7 @@ import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
import {getDeniedChanges} from './deny'
import * as artifact from '@actions/artifact'
import {DefaultArtifactClient} from '@actions/artifact'
import * as fs from 'fs'
import type {PayloadRepository} from '@actions/github/lib/interfaces.d'
@@ -73,7 +73,14 @@ export async function handleLargeSummary(
return summaryContent
}
const artifactClient = new artifact.DefaultArtifactClient()
const summarySize = Math.round(
Buffer.byteLength(summaryContent, 'utf8') / 1024
)
const truncatedSummary = `# Dependency Review Summary
The full dependency review summary was too large to display here (${summarySize}KB, limit is 1024KB).`
const artifactClient = new DefaultArtifactClient()
const artifactName = 'dependency-review-summary'
const files = ['summary.md']
@@ -87,9 +94,9 @@ export async function handleLargeSummary(
})
// Return a shorter summary with a link to the artifact
const shortSummary = `# Dependency Review Summary
const shortSummary = `${truncatedSummary}
The full dependency review summary is too large to display here. Please download the artifact named "${artifactName}" to view the complete report.
Please download the artifact named "${artifactName}" to view the complete report.
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
@@ -99,9 +106,14 @@ The full dependency review summary is too large to display here. Please download
return shortSummary
} catch (error) {
core.warning(
`Failed to handle large summary: ${error instanceof Error ? error.message : 'Unknown error'}`
`Failed to upload large summary as artifact: ${error instanceof Error ? error.message : 'Unknown error'}`
)
return summaryContent
// Even though artifact upload failed, we must still replace the buffer
// with a truncated summary to prevent core.summary.write() from failing
// with the oversized content (see issue #867)
core.summary.emptyBuffer()
core.summary.addRaw(truncatedSummary)
return truncatedSummary
}
}
@@ -268,7 +280,13 @@ async function run(): Promise<void> {
}
}
} finally {
await core.summary.write()
try {
await core.summary.write()
} catch (error) {
core.warning(
`Failed to write job summary: ${error instanceof Error ? error.message : 'Unknown error'}`
)
}
}
}