3.0.5

What's Changed

Thanks to @theztefan, we now have a new allow-dependencies-licenses option that takes a list of dependencies that will be excluded from license checks. See the configuration options for more information on how to use it.

• Exclude dependencies from license checks by @theztefan in #423
• Documentation examples by @theztefan in #423
• Show snapshot warnings in the summary by @juxtin in #439
• Fix default values for fail-on-severity by @febuiles in #451
• Updated dependencies.

New Contributors

• @juxtin made their first contribution in #439
• @theztefan made their first contribution in #423

Full Changelog: v3...v3.0.5

3.0.4

What's New?

The Action can now publish a comment in the pull request if the comment-summary-in-pr option is set. More information can be found in the README.

New Contributors

• @davelosert made their first contribution in #393

Changelog

• Write Summary as comment to the pull request by @davelosert in #393
• Adjust summary format by @davelosert in #416
• Security updates.

Full Changelog: v3...v3.0.4

3.0.3

What's Changed

• Use cache in check-dist.yml by @jongwooo in #359
• Fix Dependency Review API response error handling by @felickz in #370
• Security updates

New Contributors

• @jongwooo made their first contribution in #359
• @felickz made their first contribution in #370

Full Changelog: v3...v3.0.3

3.0.2

This release fixes spelling errors #348 and upgrades dependencies to fix known vulnerabilities

Full Changelog: v3...v3.0.2

3.0.1

This release contains the following bugfixes:

• Fixing API URL for GHES: #331
• Improve list handling for external config files: #330

Full Changelog: v3...v3.0.1

3.0.0

Breaking Changes

By default the action now expects SPDX-compliant licenses everywhere. If you were previously using license names in the allow or deny lists make sure they're valid!

What's Changed

Support for external configuration files

You can now specify a configuration file external to your repository. This allows organizations to have a single configuration file for all their repos.

Broader license support

We've added support for a much broader set of project licenses by using GitHub's Licenses API.

SPDX Compliance

All of our license-related code now expects SPDX-compliant licenses or expressions. This allows us to standardize on a license naming scheme that already supports OR/AND expressions.

Disable individual checks

You can now use the boolean options license-check and vulnerability-check to disable either one of the checks. More information in our configuration options.

Thanks

Contributors for this release include:

• @cnagadya
• @courtneycl
• @ericcornelissen
• @elireisman
• @hmaurer

Thanks everyone!
Full Changelog: v2...v3.0.0

2.5.1

Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the scripts/scan_pr script using the -c/--config-file flags to use an external configuration file:

Example:

  scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294

2.5.0

Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.

2.4.1

This patch release fixes the bugs below:

• Display the dependency name instead of the manifest name in the detailed list of dependents.
• Fix an issue where undefined GHSAs would remove filter out all changes.

2.4.0

We've added a new configuration option:

• allow-ghsas: Specify a list of various GitHub Advisory IDs you want the action to skip and not fail on.

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          allow-ghsas: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'