Releases: actions/dependency-review-action
2.3.0
We're adding back support for an external configuration file. You can use the config-file
configuration string to specify a path to a YAML configuration file where you can specify any options you want:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
with:
- config-file: ./.github/dependency-review-config.yml
2.2.0
We've added a new configuration option:
fail-on-scopes
: Specify whether you want the action to fail on vulnerabilities or license restrictions in dependencies that areruntime
,development
, or both. By default the action will only fail onruntime
dependencies.
2.1.0
This release includes a couple of new features (thanks @WillDaSilva and @tspascoal):
- The Action now includes a summary of the vulnerabilities and licenses detected:
You can see a live example by visiting: https://github.com/future-funk/redesigned-custom-spood/actions/runs/2883016064
- You can now use the Action in events different to
pull_request
. You just need to provide ahead-sha
andbase-sha
in your config file:
name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# You can pass any git refs here
# base-ref: ${{ your_base_ref }}
# head-ref: ${{ your_head_ref }}
2.0.4
The previous release did not include the right package.json
, no major changes.
2.0.3
2.0.2
- Fixes a small formatting error in the output of unknown licenses.
2.0.1
- Fixed a bug where null licenses would not show up in successful Action runs.
2.0.0
Major version update! We are introducing a few configuration options to make the action more useful in a broader set of scenarios:
fail-on-severity
: Specify the minimum security vulnerability threshold before failing workflow runs.allow-licenses
: An allowlist for dependency licenses.deny-licenses
: A blocklist for dependency licenses.
You can read more about these options in the "Configuration" section of the README.
1.0.2
- Clarify error messages for private repos
- Update NPM dependencies.
v1
First release of the Dependency Review Action.