Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,5 @@ jobs:

- name: Dependency Review
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
with:
deny-licenses: AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, Watcom-1.0
Comment on lines +20 to +21

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Are AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, and Watcom-1.0 valid SPDX license identifiers?

💡 Result:

Yes—each of these is a valid SPDX License List short identifier:

Citations:


🌐 Web query:

GitHub actions dependency-review-action v4 deny-licenses configuration syntax

💡 Result:

In actions/dependency-review-action@v4, deny-licenses takes SPDX license identifiers/expressions and is mutually exclusive with allow-licenses (setting both errors). deny-licenses is deprecated in v4 (may be removed in the next major version). [1] [2]

Inline (workflow with:)

deny-licenses is passed as a comma-separated string: [1]

- uses: actions/dependency-review-action@v4
  with:
    deny-licenses: LGPL-2.0, BSD-2-Clause

External config file (config-file:)

In dependency-review-config.yml, use a YAML list (same idea as allow-licenses shown in the README): [1]

# .github/dependency-review-config.yml
deny-licenses:
  - LGPL-2.0
  - BSD-2-Clause

Consider migrating away from the deprecated deny-licenses parameter.

All SPDX license identifiers are valid and the comma-separated format is correct for dependency-review-action@v4. However, deny-licenses is deprecated in v4 and may be removed in the next major version. Check the action's documentation for recommended alternatives or migration guidance before the deprecation period ends.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-review.yml around lines 20 - 21, The workflow
uses the deprecated deny-licenses input for dependency-review-action@v4; update
the job step that currently sets the deny-licenses parameter to use the action's
supported replacement (per the action docs) — locate the step referencing
dependency-review-action@v4 and replace deny-licenses with the documented
alternative input or policy configuration (e.g., the new policy/allow/deny
format or equivalent) and ensure the same SPDX identifiers are migrated into
that new field and validated against the action's examples.

Loading