[ ] If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)
Release Notes
actions/dependency-review-action (actions/dependency-review-action)
### [`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5): 3.1.5
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)
#### What's Changed
- Smaller `per_page` when requesting diff by [@hmaurer](https://togithub.com/hmaurer) in [https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649)
- Update dependencies:
- Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.10.0 to 6.13.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630)
- Bump prettier from 3.0.3 to 3.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629)
- Bump [@types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.11 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637)
- Bump nodemon from 3.0.1 to 3.0.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636)
- Replace pip -> pypi in PURL examples by [@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638)
- Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.12.0 to 6.15.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644)
- Bump eslint from 8.53.0 to 8.56.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640)
- Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.13.1 to 6.16.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645)
- Bump prettier from 3.1.0 to 3.1.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5
### [`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4): 3.1.4
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)
#### What's Changed
- Fixed a [bug](https://togithub.com/actions/dependency-review-action/issues/618) with severity filtering when using the `allow_ghsas` option: [https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623).
- Updates dependencies:
- Bump [@types/node](https://togithub.com/types/node) from 16.18.61 to 16.18.62 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619)
action/pull/620
- Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.11.0 to 6.12.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.4
### [`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3): 3.1.3
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)
#### What's Changed
- Fixes purl "version must be percent-encoded" by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.3
### [`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2): 3.1.2
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)
#### What's Changed
- Fix a regression for setups using self-hosted runners behind HTTP proxies:[@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.2
### [`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1): 3.1.1
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)
#### What's Changed
- Update a bunch of dependencies, including major version upgrades for `octokit`, `@actions/github` and `typescript`.
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1
### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0)
#### What's New
Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.
#### What's Changed
- Fix(docs): Correct action input name by [@oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551)
#### New Contributors
- [@oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.0
### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8)
#### What's Changed
Added `on-failure` option to `comment-summary-in-pr` setting by [@sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540)
Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`.
#### New Contributors
- [@sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.8
### [`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7): 3.0.7
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7)
#### What's Changed
- Make GHES support / setup more clear by [@rajbos](https://togithub.com/rajbos) in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534)
- Add an option to deny packages or groups of packages by [@adrienpessu](https://togithub.com/adrienpessu) in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544)
#### New Contributors
- [@rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534)
- [@adrienpessu](https://togithub.com/adrienpessu) made their first contribution in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.7
### [`v3.0.6`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.6): 3.0.6
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.5...v3.0.6)
Fixes a bug introduced in 3.0.5 where we raised PURL errors when Dependency Graph returns an empty `package_url`.
### [`v3.0.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.5): 3.0.5
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.4...v3.0.5)
#### What's Changed
Thanks to [@theztefan](https://togithub.com/theztefan), we now have a new `allow-dependencies-licenses` option that takes a list of dependencies that will be excluded from license checks. See the [configuration options](https://togithub.com/actions/dependency-review-action#configuration-options) for more information on how to use it.
- Exclude dependencies from license checks by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423)
- Documentation examples by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423)
- Show snapshot warnings in the summary by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/439](https://togithub.com/actions/dependency-review-action/pull/439)
- Fix default values for fail-on-severity by [@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/451](https://togithub.com/actions/dependency-review-action/pull/451)
- Updated dependencies.
#### New Contributors
- [@juxtin](https://togithub.com/juxtin) made their first contribution in [https://github.com/actions/dependency-review-action/pull/439](https://togithub.com/actions/dependency-review-action/pull/439)
- [@theztefan](https://togithub.com/theztefan) made their first contribution in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.5
### [`v3.0.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.4): 3.0.4
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.3...v3.0.4)
##### What's New?
The Action can now publish a comment in the pull request if the `comment-summary-in-pr` option is set. More information can be found in the [README](https://togithub.com/actions/dependency-review-action#configuration-options).
##### New Contributors
- [@davelosert](https://togithub.com/davelosert) made their first contribution in [https://github.com/actions/dependency-review-action/pull/393](https://togithub.com/actions/dependency-review-action/pull/393)
##### Changelog
- Write Summary as comment to the pull request by [@davelosert](https://togithub.com/davelosert) in [https://github.com/actions/dependency-review-action/pull/393](https://togithub.com/actions/dependency-review-action/pull/393)
- Adjust summary format by [@davelosert](https://togithub.com/davelosert) in [https://github.com/actions/dependency-review-action/pull/416](https://togithub.com/actions/dependency-review-action/pull/416)
- Security updates.
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.4
### [`v3.0.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.3): 3.0.3
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.2...v3.0.3)
#### What's Changed
- Use cache in check-dist.yml by [@jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/dependency-review-action/pull/359](https://togithub.com/actions/dependency-review-action/pull/359)
- Fix Dependency Review API response error handling by [@felickz](https://togithub.com/felickz) in [https://github.com/actions/dependency-review-action/pull/370](https://togithub.com/actions/dependency-review-action/pull/370)
- Security updates
#### New Contributors
- [@jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/dependency-review-action/pull/359](https://togithub.com/actions/dependency-review-action/pull/359)
- [@felickz](https://togithub.com/felickz) made their first contribution in [https://github.com/actions/dependency-review-action/pull/370](https://togithub.com/actions/dependency-review-action/pull/370)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.3
### [`v3.0.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.2): 3.0.2
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.1...v3.0.2)
This release fixes spelling errors [https://github.com/actions/dependency-review-action/pull/348](https://togithub.com/actions/dependency-review-action/pull/348) and upgrades dependencies to fix known vulnerabilities
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.2
### [`v3.0.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.1): 3.0.1
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3...v3.0.1)
This release contains the following bugfixes:
- Fixing API URL for GHES: [https://github.com/actions/dependency-review-action/pull/331](https://togithub.com/actions/dependency-review-action/pull/331)
- Improve list handling for external config files: [https://github.com/actions/dependency-review-action/pull/330](https://togithub.com/actions/dependency-review-action/pull/330)
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.1
### [`v3.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.0): 3.0.0
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.5.1...v3)
#### Breaking Changes
By default the action now expects [SPDX-compliant licenses](https://spdx.org/licenses/) everywhere. If you were previously using license names in the allow or deny lists make sure they're valid!
#### What's Changed
##### Support for external configuration files
You can now specify a [configuration file external to your repository](https://togithub.com/actions/dependency-review-action/#configuration-file). This allows organizations to have a single configuration file for all their repos.
##### Broader license support
We've added support for a much broader set of project licenses by using GitHub's [Licenses API](https://docs.github.com/en/rest/licenses).
##### SPDX Compliance
All of our license-related code now expects [SPDX-compliant licenses or expressions](https://spdx.org/licenses/). This allows us to standardize on a license naming scheme that already supports `OR`/`AND` expressions.
##### Disable individual checks
You can now use the boolean options `license-check` and `vulnerability-check` to disable either one of the checks. More information in [our configuration options](https://togithub.com/actions/dependency-review-action/#configuration-options).
#### Thanks
Contributors for this release include:
- [@cnagadya](https://togithub.com/cnagadya)
- [@courtneycl](https://togithub.com/courtneycl)
- [@ericcornelissen](https://togithub.com/ericcornelissen)
- [@elireisman](https://togithub.com/elireisman)
- [@hmaurer](https://togithub.com/hmaurer)
Thanks everyone!
**Full Changelog**: https://github.com/actions/dependency-review-action/compare/v2...v3.0.0
### [`v2.5.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.5.1): 2.5.1
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.5.0...v2.5.1)
Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the `scripts/scan_pr` script using the `-c/--config-file` flags to use an external configuration file:
Example:
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
### [`v2.5.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.5.0): 2.5.0
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.4.1...v2.5.0)
Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.
### [`v2.4.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.4.1): 2.4.1
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.4.0...v2.4.1)
This patch release fixes the bugs below:
- Display the dependency name instead of the manifest name in the detailed list of dependents.
- Fix an issue where undefined GHSAs would remove filter out all changes.
### [`v2.4.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.4.0): 2.4.0
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.3.0...v2.4.0)
We've added a new configuration option:
- `allow-ghsas`: Specify a list of various GitHub Advisory IDs you want the action to skip and not fail on.
```yaml
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
with:
allow-ghsas: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'
```
### [`v2.3.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.3.0): 2.3.0
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.2.0...v2.3.0)
We're adding back support for an external configuration file. You can use the `config-file` configuration string to specify a path to a YAML configuration file where you can specify any options you want:
```yaml
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
with:
- config-file: ./.github/dependency-review-config.yml
```
### [`v2.2.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.2.0): 2.2.0
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.1.0...v2.2.0)
We've added a new configuration option:
- `fail-on-scopes`: Specify whether you want the action to fail on vulnerabilities or license restrictions in dependencies that are `runtime`, `development`, or both. By default the action will only fail on `runtime` dependencies.
### [`v2.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.1.0): 2.1.0
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.0.4...v2.1.0)
This release includes a couple of new features (thanks [@WillDaSilva](https://togithub.com/WillDaSilva) and [@tspascoal](https://togithub.com/tspascoal)):
1. The Action now includes a summary of the vulnerabilities and licenses detected:
You can see a live example by visiting: https://github.com/future-funk/redesigned-custom-spood/actions/runs/2883016064
2. You can now use the Action in events different to `pull_request`. You just need to provide a `head-sha` and `base-sha` in your config file:
```yml
name: Dependency Review
uses: actions/dependency-review-action@v2
with:
### You can pass any git refs here
### base-ref: ${{ your_base_ref }}
### head-ref: ${{ your_head_ref }}
```
### [`v2.0.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.4): 2.0.4
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.0.3...v2.0.4)
The previous release did not include the right `package.json`, no major changes.
### [`v2.0.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.3): 2.0.3
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.0.2...v2.0.3)
- Fixed a bug where removed changes were being inspected and reported as vulnerable ([#155](https://togithub.com/actions/dependency-review-action/issues/155), thanks [@kachick](https://togithub.com/kachick)!)
### [`v2.0.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.2): 2.0.2
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.0.1...v2.0.2)
- Fixes a small formatting error in the output of unknown licenses.
### [`v2.0.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.1): 2.0.1
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2...v2.0.1)
- Fixed a bug where null licenses would not show up in successful Action runs.
### [`v2.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.0): 2.0.0
[Compare Source](https://togithub.com/actions/dependency-review-action/compare/v1.0.2...v2)
Major version update! We are introducing a few configuration options to make the action more useful in a broader set of scenarios:
- `fail-on-severity`: Specify the minimum security vulnerability threshold before failing workflow runs.
- `allow-licenses`: An allowlist for dependency licenses.
- `deny-licenses`: A blocklist for dependency licenses.
You can read more about these options in the ["Configuration" section of the README](https://togithub.com/actions/dependency-review-action/#configuration).
Configuration
📅 Schedule: Branch creation - "every weekend" in timezone America/Montreal, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.0.2
->v3.1.5
Review
Release Notes
actions/dependency-review-action (actions/dependency-review-action)
### [`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5): 3.1.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5) #### What's Changed - Smaller `per_page` when requesting diff by [@hmaurer](https://togithub.com/hmaurer) in [https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649) - Update dependencies: - Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.10.0 to 6.13.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630) - Bump prettier from 3.0.3 to 3.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629) - Bump [@types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.11 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637) - Bump nodemon from 3.0.1 to 3.0.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636) - Replace pip -> pypi in PURL examples by [@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638) - Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.12.0 to 6.15.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644) - Bump eslint from 8.53.0 to 8.56.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640) - Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.13.1 to 6.16.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645) - Bump prettier from 3.1.0 to 3.1.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5 ### [`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4): 3.1.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4) #### What's Changed - Fixed a [bug](https://togithub.com/actions/dependency-review-action/issues/618) with severity filtering when using the `allow_ghsas` option: [https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623). - Updates dependencies: - Bump [@types/node](https://togithub.com/types/node) from 16.18.61 to 16.18.62 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619) action/pull/620 - Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.11.0 to 6.12.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625) - Bump typescript from 5.2.2 to 5.3.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.4 ### [`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3): 3.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3) #### What's Changed - Fixes purl "version must be percent-encoded" by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.3 ### [`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2): 3.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2) #### What's Changed - Fix a regression for setups using self-hosted runners behind HTTP proxies:[@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.2 ### [`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1): 3.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1) #### What's Changed - Update a bunch of dependencies, including major version upgrades for `octokit`, `@actions/github` and `typescript`. **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1 ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) #### New Contributors - [@oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.8 ### [`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7): 3.0.7 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7) #### What's Changed - Make GHES support / setup more clear by [@rajbos](https://togithub.com/rajbos) in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - Add an option to deny packages or groups of packages by [@adrienpessu](https://togithub.com/adrienpessu) in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) #### New Contributors - [@rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - [@adrienpessu](https://togithub.com/adrienpessu) made their first contribution in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.7 ### [`v3.0.6`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.6): 3.0.6 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.5...v3.0.6) Fixes a bug introduced in 3.0.5 where we raised PURL errors when Dependency Graph returns an empty `package_url`. ### [`v3.0.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.5): 3.0.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.4...v3.0.5) #### What's Changed Thanks to [@theztefan](https://togithub.com/theztefan), we now have a new `allow-dependencies-licenses` option that takes a list of dependencies that will be excluded from license checks. See the [configuration options](https://togithub.com/actions/dependency-review-action#configuration-options) for more information on how to use it. - Exclude dependencies from license checks by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) - Documentation examples by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) - Show snapshot warnings in the summary by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/439](https://togithub.com/actions/dependency-review-action/pull/439) - Fix default values for fail-on-severity by [@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/451](https://togithub.com/actions/dependency-review-action/pull/451) - Updated dependencies. #### New Contributors - [@juxtin](https://togithub.com/juxtin) made their first contribution in [https://github.com/actions/dependency-review-action/pull/439](https://togithub.com/actions/dependency-review-action/pull/439) - [@theztefan](https://togithub.com/theztefan) made their first contribution in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.5 ### [`v3.0.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.4): 3.0.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.3...v3.0.4) ##### What's New? The Action can now publish a comment in the pull request if the `comment-summary-in-pr` option is set. More information can be found in the [README](https://togithub.com/actions/dependency-review-action#configuration-options). ##### New Contributors - [@davelosert](https://togithub.com/davelosert) made their first contribution in [https://github.com/actions/dependency-review-action/pull/393](https://togithub.com/actions/dependency-review-action/pull/393) ##### Changelog - Write Summary as comment to the pull request by [@davelosert](https://togithub.com/davelosert) in [https://github.com/actions/dependency-review-action/pull/393](https://togithub.com/actions/dependency-review-action/pull/393) - Adjust summary format by [@davelosert](https://togithub.com/davelosert) in [https://github.com/actions/dependency-review-action/pull/416](https://togithub.com/actions/dependency-review-action/pull/416) - Security updates. **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.4 ### [`v3.0.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.3): 3.0.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.2...v3.0.3) #### What's Changed - Use cache in check-dist.yml by [@jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/dependency-review-action/pull/359](https://togithub.com/actions/dependency-review-action/pull/359) - Fix Dependency Review API response error handling by [@felickz](https://togithub.com/felickz) in [https://github.com/actions/dependency-review-action/pull/370](https://togithub.com/actions/dependency-review-action/pull/370) - Security updates #### New Contributors - [@jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/dependency-review-action/pull/359](https://togithub.com/actions/dependency-review-action/pull/359) - [@felickz](https://togithub.com/felickz) made their first contribution in [https://github.com/actions/dependency-review-action/pull/370](https://togithub.com/actions/dependency-review-action/pull/370) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.3 ### [`v3.0.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.2): 3.0.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.1...v3.0.2) This release fixes spelling errors [https://github.com/actions/dependency-review-action/pull/348](https://togithub.com/actions/dependency-review-action/pull/348) and upgrades dependencies to fix known vulnerabilities **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.2 ### [`v3.0.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.1): 3.0.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3...v3.0.1) This release contains the following bugfixes: - Fixing API URL for GHES: [https://github.com/actions/dependency-review-action/pull/331](https://togithub.com/actions/dependency-review-action/pull/331) - Improve list handling for external config files: [https://github.com/actions/dependency-review-action/pull/330](https://togithub.com/actions/dependency-review-action/pull/330) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.1 ### [`v3.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.0): 3.0.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.5.1...v3) #### Breaking Changes By default the action now expects [SPDX-compliant licenses](https://spdx.org/licenses/) everywhere. If you were previously using license names in the allow or deny lists make sure they're valid! #### What's Changed ##### Support for external configuration files You can now specify a [configuration file external to your repository](https://togithub.com/actions/dependency-review-action/#configuration-file). This allows organizations to have a single configuration file for all their repos. ##### Broader license support We've added support for a much broader set of project licenses by using GitHub's [Licenses API](https://docs.github.com/en/rest/licenses). ##### SPDX Compliance All of our license-related code now expects [SPDX-compliant licenses or expressions](https://spdx.org/licenses/). This allows us to standardize on a license naming scheme that already supports `OR`/`AND` expressions. ##### Disable individual checks You can now use the boolean options `license-check` and `vulnerability-check` to disable either one of the checks. More information in [our configuration options](https://togithub.com/actions/dependency-review-action/#configuration-options). #### Thanks Contributors for this release include: - [@cnagadya](https://togithub.com/cnagadya) - [@courtneycl](https://togithub.com/courtneycl) - [@ericcornelissen](https://togithub.com/ericcornelissen) - [@elireisman](https://togithub.com/elireisman) - [@hmaurer](https://togithub.com/hmaurer) Thanks everyone! **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v2...v3.0.0 ### [`v2.5.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.5.1): 2.5.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.5.0...v2.5.1) Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the `scripts/scan_pr` script using the `-c/--config-file` flags to use an external configuration file: Example: scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294 ### [`v2.5.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.5.0): 2.5.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.4.1...v2.5.0) Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage. ### [`v2.4.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.4.1): 2.4.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.4.0...v2.4.1) This patch release fixes the bugs below: - Display the dependency name instead of the manifest name in the detailed list of dependents. - Fix an issue where undefined GHSAs would remove filter out all changes. ### [`v2.4.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.4.0): 2.4.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.3.0...v2.4.0) We've added a new configuration option: - `allow-ghsas`: Specify a list of various GitHub Advisory IDs you want the action to skip and not fail on. ```yaml dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' uses: actions/dependency-review-action@v2 with: allow-ghsas: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679' ``` ### [`v2.3.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.3.0): 2.3.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.2.0...v2.3.0) We're adding back support for an external configuration file. You can use the `config-file` configuration string to specify a path to a YAML configuration file where you can specify any options you want: ```yaml dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' uses: actions/dependency-review-action@v2 with: - config-file: ./.github/dependency-review-config.yml ``` ### [`v2.2.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.2.0): 2.2.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.1.0...v2.2.0) We've added a new configuration option: - `fail-on-scopes`: Specify whether you want the action to fail on vulnerabilities or license restrictions in dependencies that are `runtime`, `development`, or both. By default the action will only fail on `runtime` dependencies. ### [`v2.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.1.0): 2.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.0.4...v2.1.0) This release includes a couple of new features (thanks [@WillDaSilva](https://togithub.com/WillDaSilva) and [@tspascoal](https://togithub.com/tspascoal)): 1. The Action now includes a summary of the vulnerabilities and licenses detected: You can see a live example by visiting: https://github.com/future-funk/redesigned-custom-spood/actions/runs/2883016064 2. You can now use the Action in events different to `pull_request`. You just need to provide a `head-sha` and `base-sha` in your config file: ```yml name: Dependency Review uses: actions/dependency-review-action@v2 with: ### You can pass any git refs here ### base-ref: ${{ your_base_ref }} ### head-ref: ${{ your_head_ref }} ``` ### [`v2.0.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.4): 2.0.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.0.3...v2.0.4) The previous release did not include the right `package.json`, no major changes. ### [`v2.0.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.3): 2.0.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.0.2...v2.0.3) - Fixed a bug where removed changes were being inspected and reported as vulnerable ([#155](https://togithub.com/actions/dependency-review-action/issues/155), thanks [@kachick](https://togithub.com/kachick)!) ### [`v2.0.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.2): 2.0.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.0.1...v2.0.2) - Fixes a small formatting error in the output of unknown licenses. ### [`v2.0.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.1): 2.0.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2...v2.0.1) - Fixed a bug where null licenses would not show up in successful Action runs. ### [`v2.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v2.0.0): 2.0.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v1.0.2...v2) Major version update! We are introducing a few configuration options to make the action more useful in a broader set of scenarios: - `fail-on-severity`: Specify the minimum security vulnerability threshold before failing workflow runs. - `allow-licenses`: An allowlist for dependency licenses. - `deny-licenses`: A blocklist for dependency licenses. You can read more about these options in the ["Configuration" section of the README](https://togithub.com/actions/dependency-review-action/#configuration).Configuration
📅 Schedule: Branch creation - "every weekend" in timezone America/Montreal, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.