Releases: actions/dependency-review-action
3.0.5
What's Changed
Thanks to @theztefan, we now have a new allow-dependencies-licenses
option that takes a list of dependencies that will be excluded from license checks. See the configuration options for more information on how to use it.
- Exclude dependencies from license checks by @theztefan in #423
- Documentation examples by @theztefan in #423
- Show snapshot warnings in the summary by @juxtin in #439
- Fix default values for fail-on-severity by @febuiles in #451
- Updated dependencies.
New Contributors
- @juxtin made their first contribution in #439
- @theztefan made their first contribution in #423
Full Changelog: v3...v3.0.5
3.0.4
What's New?
The Action can now publish a comment in the pull request if the comment-summary-in-pr
option is set. More information can be found in the README.
New Contributors
- @davelosert made their first contribution in #393
Changelog
- Write Summary as comment to the pull request by @davelosert in #393
- Adjust summary format by @davelosert in #416
- Security updates.
Full Changelog: v3...v3.0.4
3.0.3
3.0.2
This release fixes spelling errors #348 and upgrades dependencies to fix known vulnerabilities
Full Changelog: v3...v3.0.2
3.0.1
This release contains the following bugfixes:
Full Changelog: v3...v3.0.1
3.0.0
Breaking Changes
By default the action now expects SPDX-compliant licenses everywhere. If you were previously using license names in the allow or deny lists make sure they're valid!
What's Changed
Support for external configuration files
You can now specify a configuration file external to your repository. This allows organizations to have a single configuration file for all their repos.
Broader license support
We've added support for a much broader set of project licenses by using GitHub's Licenses API.
SPDX Compliance
All of our license-related code now expects SPDX-compliant licenses or expressions. This allows us to standardize on a license naming scheme that already supports OR
/AND
expressions.
Disable individual checks
You can now use the boolean options license-check
and vulnerability-check
to disable either one of the checks. More information in our configuration options.
Thanks
Contributors for this release include:
Thanks everyone!
Full Changelog: v2...v3.0.0
2.5.1
Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the scripts/scan_pr
script using the -c/--config-file
flags to use an external configuration file:
Example:
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
2.5.0
Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.
2.4.1
This patch release fixes the bugs below:
- Display the dependency name instead of the manifest name in the detailed list of dependents.
- Fix an issue where undefined GHSAs would remove filter out all changes.
2.4.0
We've added a new configuration option:
allow-ghsas
: Specify a list of various GitHub Advisory IDs you want the action to skip and not fail on.
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
with:
allow-ghsas: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'