Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update actions/dependency-review-action action to v3 #283

Merged
merged 1 commit into from May 9, 2023
Merged

chore(deps): update actions/dependency-review-action action to v3 #283

merged 1 commit into from May 9, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 9, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
actions/dependency-review-action action major v1.0.2 -> v3.0.4

Review

  • Updates have been tested and work
  • If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

Release Notes

actions/dependency-review-action

v3.0.4: 3.0.4

Compare Source

What's New?

The Action can now publish a comment in the pull request if the comment-summary-in-pr option is set. More information can be found in the README.

New Contributors

Changelog

Full Changelog: actions/dependency-review-action@v3...v3.0.4

v3.0.3: 3.0.3

Compare Source

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v3...v3.0.3

v3.0.2: 3.0.2

Compare Source

This release fixes spelling errors https://github.com/actions/dependency-review-action/pull/348 and upgrades dependencies to fix known vulnerabilities

Full Changelog: actions/dependency-review-action@v3...v3.0.2

v3.0.1: 3.0.1

Compare Source

This release contains the following bugfixes:

Full Changelog: actions/dependency-review-action@v3...v3.0.1

v3.0.0: 3.0.0

Compare Source

Breaking Changes

By default the action now expects SPDX-compliant licenses everywhere. If you were previously using license names in the allow or deny lists make sure they're valid!

What's Changed

Support for external configuration files

You can now specify a configuration file external to your repository. This allows organizations to have a single configuration file for all their repos.

Broader license support

We've added support for a much broader set of project licenses by using GitHub's Licenses API.

SPDX Compliance

All of our license-related code now expects SPDX-compliant licenses or expressions. This allows us to standardize on a license naming scheme that already supports OR/AND expressions.

Disable individual checks

You can now use the boolean options license-check and vulnerability-check to disable either one of the checks. More information in our configuration options.

Thanks

Contributors for this release include:

Thanks everyone!
Full Changelog: actions/dependency-review-action@v2...v3.0.0

v2.5.1: 2.5.1

Compare Source

Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the scripts/scan_pr script using the -c/--config-file flags to use an external configuration file:

Example:

  scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294

v2.5.0: 2.5.0

Compare Source

Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.

v2.4.1: 2.4.1

Compare Source

This patch release fixes the bugs below:

  • Display the dependency name instead of the manifest name in the detailed list of dependents.
  • Fix an issue where undefined GHSAs would remove filter out all changes.

v2.4.0: 2.4.0

Compare Source

We've added a new configuration option:

  • allow-ghsas: Specify a list of various GitHub Advisory IDs you want the action to skip and not fail on.
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          allow-ghsas: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'

v2.3.0: 2.3.0

Compare Source

We're adding back support for an external configuration file. You can use the config-file configuration string to specify a path to a YAML configuration file where you can specify any options you want:

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          - config-file: ./.github/dependency-review-config.yml

v2.2.0: 2.2.0

Compare Source

We've added a new configuration option:

  • fail-on-scopes: Specify whether you want the action to fail on vulnerabilities or license restrictions in dependencies that are runtime, development, or both. By default the action will only fail on runtime dependencies.

v2.1.0: 2.1.0

Compare Source

This release includes a couple of new features (thanks @​WillDaSilva and @​tspascoal):

  1. The Action now includes a summary of the vulnerabilities and licenses detected:
Screenshot 2022-08-18 at 16 28 37

You can see a live example by visiting: https://github.com/future-funk/redesigned-custom-spood/actions/runs/2883016064

  1. You can now use the Action in events different to pull_request. You just need to provide a head-sha and base-sha in your config file:
name: Dependency Review
  uses: actions/dependency-review-action@v2
  with:

### You can pass any git refs here
### base-ref: ${{ your_base_ref }}

### head-ref: ${{ your_head_ref }}

v2.0.4: 2.0.4

Compare Source

The previous release did not include the right package.json, no major changes.

v2.0.3: 2.0.3

Compare Source

  • Fixed a bug where removed changes were being inspected and reported as vulnerable (#​155, thanks @​kachick!)

v2.0.2: 2.0.2

Compare Source

  • Fixes a small formatting error in the output of unknown licenses.

v2.0.1: 2.0.1

Compare Source

  • Fixed a bug where null licenses would not show up in successful Action runs.

v2.0.0: 2.0.0

Compare Source

Major version update! We are introducing a few configuration options to make the action more useful in a broader set of scenarios:

  • fail-on-severity: Specify the minimum security vulnerability threshold before failing workflow runs.
  • allow-licenses: An allowlist for dependency licenses.
  • deny-licenses: A blocklist for dependency licenses.

You can read more about these options in the "Configuration" section of the README.

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added dependencies Pull requests that update a dependency file Renovate labels May 9, 2023
@renovate renovate bot force-pushed the renovate/actions-dependency-review-action-3.x branch from 00fc36d to 9292ea4 Compare May 9, 2023 12:46
@patheard patheard merged commit 0a5c3aa into main May 9, 2023
4 checks passed
@patheard patheard deleted the renovate/actions-dependency-review-action-3.x branch May 9, 2023 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patheard patheard patheard approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file Renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@patheard