v4.9.0: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in #​1056
• Make purl comparisons case insensitive by @​juxtin in #​1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in #​1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in #​1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in #​1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​1021
• Updates for release 4.9.0 by @​ahpook in #​1064

New Contributors

• @​jantiebot made their first contribution in #​1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

v4.8.3: 4.8.3

Compare Source

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in #​1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in #​995
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in #​1003
• Bump actions/setup-node from 4 to 6 by @​dependabot[bot] in #​1005
• Upgrade glob to address a vulnerability by @​brrygrdn in #​1024
• Bump js-yaml by @​dependabot[bot] in #​1020
• Addressing vulnerabilities by @​Ahmed3lmallah in #​1036
• Bump fast-xml-parser from 5.3.3 to 5.3.5 by @​dependabot[bot] in #​1050
• Bump fast-xml-parser from 5.3.5 to 5.3.6 by @​dependabot[bot] in #​1053
• Properly truncate long summaries and catch errors by @​juxtin in #​1052
• Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @​dependabot[bot] in #​931
• Changes for Release 4.8.3 by @​ahpook in #​1054

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

v4.8.2

Compare Source

Minor fixes:

• Fix PURL parsing for scoped packages (#​1008 from @​danielhardej)
• Fix for large summaries (#​1007 from @​gitulisca)
• README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej)

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000
• Bump version for 4.8.1 release by @​ahpook in #​1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

Compare Source

What's Changed

• Make Ruby Code Scannable by @​ljones140 in #​978
• Batch some contributions for release by @​brrygrdn in #​986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in #​978
• @​jasperkamerling made their first contribution in #​986
• @​MattMencel made their first contribution in #​986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

v4.7.3: 4.7.3

Compare Source

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in #​966
• Claire153/fix spamming mentioned issue by @​claire153 in #​974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

v4.7.2: 4.7.2

Compare Source

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in #​945
• Deprecate deny lists by @​claire153 in #​958
• Address discrepancy between docs and reality by @​ahpook in #​960

New Contributors

• @​KyFaSt made their first contribution in #​945
• @​claire153 made their first contribution in #​958
• @​ahpook made their first contribution in #​960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

v4.7.1

Compare Source

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #​889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

Compare Source

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #​809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

v4.6.0

Compare Source

What's Changed

• Updating multiple dependency versions by @​Ahmed3lmallah in #​870
• Grouping minor and patch dependabot updates to lessen the number of PRs by @​Ahmed3lmallah in #​876
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in #​878
• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in #​877
• DR Action should link to the proxima stamp when appropriate in error messages by @​AshelyTC in #​891
• Allow deny package removal by @​ellenfieldn in #​888
• Fix typos by @​omahs in #​893
• Bump esbuild from 0.19.5 to 0.25.0 by @​dependabot in #​900
• Bump octokit and related dependencies by @​RomanIakovlev in #​904
• Bump @​babel/helpers from 7.23.2 to 7.26.10 by @​dependabot in #​905
• Bump @​octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @​dependabot in #​899
• Update transitive dependency spdx-license-ids by @​ailox in #​855
• To not print OpenSSF Scorecard section if no dependencies scanned by @​fabasoad in #​884
• Improve usage of this action in dependency-review.yml by @​fabasoad in #​883
• Clarify comment-summary-in-pr behaviour by @​Pantelis-Santorinios in #​902
• Prepare 4.6.0 Release candidate by @​brrygrdn in #​910

New Contributors

• @​AshelyTC made their first contribution in #​891
• @​ellenfieldn made their first contribution in #​888
• @​omahs made their first contribution in #​893
• @​RomanIakovlev made their first contribution in #​904
• @​ailox made their first contribution in #​855
• @​fabasoad made their first contribution in #​884
• @​Pantelis-Santorinios made their first contribution in #​902
• @​brrygrdn made their first contribution in #​910

Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0

v4.5.0

Compare Source

What's Changed

• Bump got from 14.4.2 to 14.4.3 by @​dependabot in #​844
• Bump nodemon from 3.1.0 to 3.1.7 by @​dependabot in #​847
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in #​849
• Overriding the cross-spawn dependency to use a safe version by @​Ahmed3lmallah in #​850
• fix: add summary comment on failure when warn-only: true by @​ebickle in #​827
• Prepare for 4.5.0 release by @​Ahmed3lmallah in #​851

New Contributors

• @​ebickle made their first contribution in #​827

Full Changelog: actions/dependency-review-action@v4...v4.5.0

v4.4.0

Compare Source

What's Changed

• Fix for merge_group event bug by @​Ahmed3lmallah in #​846

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

v4.3.5

Compare Source

What's Changed

• fix: getRefs function to handle merge_group events by @​louis-bompart in #​766
• Create pull_request_template.md by @​jonjanego in #​794
• Update CONTRIBUTING.md by @​jonjanego in #​793
• Bump @​types/node from 20.11.28 to 20.16.0 by @​dependabot in #​815
• Upgrade transitive micromatch library by @​elireisman in #​829
• Do not list changed dependencies in summary by @​hmaurer in #​828
• Update stale.yaml by @​jonjanego in #​832
• Bump got from 14.4.1 to 14.4.2 by @​dependabot in #​822
• Bump eslint-plugin-jest and ts-jest by @​Ahmed3lmallah in #​840

New Contributors

• @​louis-bompart made their first contribution in #​766
• @​Ahmed3lmallah made their first contribution in #​840

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

v4.3.4

Compare Source

What's Changed

• Include all added dependencies in scorecard entries by @​elireisman in #​783
• Update SPDX Expression Parsing by @​febuiles in #​719
  • This PR is a significant refactor of SPDX expression parsing that may fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version.

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

v4.3.3: Notes for v4.3.3

Compare Source

What's Changed

• Allow slashes in purl package names by @​juxtin in #​765
• use the v3 version of the deps.dev API by @​josieang in #​741
• PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @​am-stead in #​773
• fix show-openssf-scorecard-levels input by @​ramann in #​776
• Updates to the contribution guidelines by @​jonjanego in #​778
• Create issue templates by @​jonjanego in #​777
• Fix the max comment length issue by @​jhutchings1 and @​elireisman in #​767
• Bump project version to 4.3.3 in prep for a release by @​elireisman in #​781

New Contributors

• @​josieang made their first contribution in #​741
• @​am-stead made their first contribution in #​773
• @​ramann made their first contribution in #​776

Full Changelog: actions/dependency-review-action@v4.3.2...v4.3.3

v4.3.2

Compare Source

What's Changed

• Fix package-url parsing for allow-dependencies-licenses by @​juxtin in #​761

Full Changelog: actions/dependency-review-action@v4.3.1...v4.3.2

v4.3.1

Compare Source

What's Changed

This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See #​753.

Full Changelog: actions/dependency-review-action@V4.3.0...v4.3.1

vV4.3.0

Compare Source

v4.3.0

Compare Source

New Features

• The deny-packages option can now be used without a version number to exclude all versions of a package.

What's Changed

• Fix action variable name for scorecard by @​lukehinds in #​735
• Fix extra https:// in summary by @​jhutchings1 in #​748
• Bump typescript from 5.3.3 to 5.4.5 by @​dependabot in #​744
• Bump eslint-plugin-github from 4.10.1 to 4.10.2 by @​dependabot in #​737
• Show denied packages with red X by @​juxtin in #​750
• deny-packages configuration option can deny specified version or all packages by @​febuiles and @​bteng22 in #​733

New Contributors

• @​bteng22 made their first contribution in #​733
• @​lukehinds made their first contribution in #​735

Full Changelog: actions/dependency-review-action@v4.2.5...V4.3.0

v4.2.5: 4.2.5

Compare Source

What's Changed

• Fixed a bug where some configuration options in external files were not being properly picked up -- #​722
• Bump eslint from 8.56.0 to 8.57.0

Full Changelog: actions/dependency-review-action@v4.2.4...v4.2.5

v4.2.4

Compare Source

What's Changed

Fixed a bug in the output of OpenSSF cards for GitHub Actions.

New Contributors

• @​sporkmonger made their first contribution in #​721

Full Changelog: actions/dependency-review-action@v4.2.3...v4.2.4

v4.2.3: 4.2.3

Compare Source

What's Changed

• Set comment as output by @​jsoref in #​698
• Add support for calculating OpenSSF Scorecards by @​jhutchings1 in #​709
• Add outputs for the changes data by @​laughedelic in #​707

New Contributors

• @​jhutchings1 made their first contribution in #​709
• @​laughedelic made their first contribution in #​707

Full Changelog: actions/dependency-review-action@v4.1.3...v4.2.3

v4.1.3: 4.1.3

Compare Source

Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see #​697).

Full Changelog: actions/dependency-review-action@v4.1.2...v4.1.3

v4.1.2: 4.1.2

Compare Source

What's Changed

• Expose dependency comment content by @​jsoref in #​696

Full Changelog: actions/dependency-review-action@v4.1.1...v4.1.2

v4.1.1: 4.1.1

Compare Source

What's Changed

• Bump undici to fix GHSA-wqq4-5wpv-mx2g
• Bump @​types/node from 20.11.17 to 20.11.19 by @​dependabot in #​693

Full Changelog: actions/dependency-review-action@v4.1.0...v4.1.1

v4.1.0: 4.1.0

Compare Source

What's Changed

• Add warn-only by @​tgrall in #​432

Added a new configuration option (warn-only, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log.

• Create stale.yaml by @​jonjanego in #​671
• Use manual codeql config by @​juxtin in #​678
• Multiple dependency updates (see the changelog below for more information)

New Contributors

• @​jonjanego made their first contribution in #​671
• @​tgrall made their first contribution in #​432

Full Changelog: actions/dependency-review-action@v4...v4.1.0

v4.0.0

Compare Source

• Update action to Node 20 by @​takost in #​639
• Dependabot updates, see the full changelog for more details.

New Contributors

• @​takost made their first contribution in #​639

Full Changelog: actions/dependency-review-action@v3.1.5...v4.0.0

v3.1.5: 3.1.5

Compare Source

What's Changed

• Smaller per_page when requesting diff by @​hmaurer in #​649
• Update dependencies:
  • Bump @​typescript-eslint/parser from 6.10.0 to 6.13.1 by @​dependabot in #​630
  • Bump prettier from 3.0.3 to 3.1.0 by @​dependabot in #​629
  • Bump @​types/jest from 29.5.8 to 29.5.11 by @​dependabot in #​637
  • Bump nodemon from 3.0.1 to 3.0.2 by @​dependabot in #​636
  • Replace pip -> pypi in PURL examples by @​febuiles in #​638
  • Bump @​typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0 by @​dependabot in #​644
  • Bump eslint from 8.53.0 to 8.56.0 by @​dependabot in #​640
  • Bump @​typescript-eslint/parser from 6.13.1 to 6.16.0 by @​dependabot in #​645
  • Bump prettier from 3.1.0 to 3.1.1 by @​dependabot in #​646

Full Changelog: actions/dependency-review-action@v3.1.4...v3.1.5

v3.1.4: 3.1.4

Compare Source

What's Changed

• Fixed a bug with severity filtering when using the allow_ghsas option: #​623.

• Updates dependencies:

  • Bump @​types/node from 16.18.61 to 16.18.62 by @​dependabot in #​619
    action/pull/620
  • Bump @​typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0 by @​dependabot in #​625
  • Bump typescript from 5.2.2 to 5.3.2 by @​dependabot in #​624

Full Changelog: actions/dependency-review-action@v3...v3.1.4

v3.1.3: 3.1.3

Compare Source

What's Changed

• Fixes purl "version must be percent-encoded" by @​theztefan in #​617

Full Changelog: actions/dependency-review-action@v3...v3.1.3

v3.1.2: 3.1.2

Compare Source

What's Changed

• Fix a regression for setups using self-hosted runners behind HTTP proxies:@​febuiles in #​611

Full Changelog: actions/dependency-review-action@v3...v3.1.2

v3.1.1: 3.1.1

Compare Source

What's Changed

• Update a bunch of dependencies, including major version upgrades for octokit, @actions/github and typescript.

Full Changelog: actions/dependency-review-action@v3.1.0...v3.1.1

v3.1.0: 3.1.0

Compare Source

What's New

Added support for dependencies submitted through the dependency submission API. This includes two new configuration parameters: retry-on-snapshot-warnings and retry-on-snapshot-warnings-timeout.

What's Changed

• Fix(docs): Correct action input name by @​oerd in #​551

New Contributors

• @​oerd made their first contribution in #​551

Full Changelog: actions/dependency-review-action@v3...v3.1.0

v3.0.8: 3.0.8

Compare Source

What's Changed

Added on-failure option to comment-summary-in-pr setting by @​sgmurphy in #​540

Previous configuration files using true/false for comment-summary-in-pr will be mapped automatically to the new values, but we encourage you to update to always/on-failure/never.

New Contributors

• @​sgmurphy made their first contribution in #​540

Full Changelog: actions/dependency-review-action@v3...v3.0.8

v3.0.7: 3.0.7

Compare Source

What's Changed

• Make GHES support / setup more clear by @​rajbos in #​534
• Add an option to deny packages or groups of packages by @​adrienpessu in #​544

New Contributors

• @​rajbos made their first contribution in #​534
• @​adrienpessu made their first contribution in #​544

Full Changelog: actions/dependency-review-action@v3...v3.0.7

v3.0.6: 3.0.6

Compare Source

Fixes a bug introduced in 3.0.5 where we raised PURL errors when Dependency Graph returns an empty package_url.

v3.0.5: 3.0.5

Compare Source

What's Changed

Thanks to @​theztefan, we now have a new allow-dependencies-licenses option that takes a list of dependencies that will be excluded from license checks. See the configuration options for more information on how to use it.

• Exclude dependencies from license checks by @​theztefan in #​423
• Documentation examples by @​theztefan in #​423
• Show snapshot warnings in the summary by @​juxtin in #​439
• Fix default values for fail-on-severity by @​febuiles in #​451
• Updated dependencies.

New Contributors

• @​juxtin made their first contribution in #​439
• @​theztefan made their first contribution in #​423

Full Changelog: actions/dependency-review-action@v3...v3.0.5

v3.0.4: 3.0.4

Compare Source

What's New?

The Action can now publish a comment in the pull request if the comment-summary-in-pr option is set. More information can be found in the README.

New Contributors

• @​davelosert made their first contribution in #​393

Changelog

• Write Summary as comment to the pull request by @​davelosert in #​393
• Adjust summary format by @​davelosert in #​416
• Security updates.

Full Changelog: actions/dependency-review-action@v3...v3.0.4

v3.0.3: 3.0.3

Compare Source

What's Changed

• Use cache in check-dist.yml by @​jongwooo in #​359
• Fix Dependency Review API response error handling by @​felickz in #​370
• Security updates

New Contributors

• @​jongwooo made their first contribution in #​359
• @​felickz made their first contribution in #​370

Full Changelog: actions/dependency-review-action@v3...v3.0.3

v3.0.2: 3.0.2

Compare Source

This release fixes spelling errors #​348 and upgrades dependencies to fix known vulnerabilities

Full Changelog: actions/dependency-review-action@v3...v3.0.2

v3.0.1: 3.0.1

Compare Source

This release contains the following bugfixes:

• Fixing API URL for GHES: #​331
• Improve list handling for external config files: #​330

Full Changelog: actions/dependency-review-action@v3...v3.0.1

v3.0.0: 3.0.0

Compare Source

Breaking Changes

By default the action now expects SPDX-compliant licenses everywhere. If you were previously using license names in the allow or deny lists make sure they're valid!

What's Changed

Support for external configuration files

You can now specify a configuration file external to your repository. This allows organizations to have a single configuration file for all their repos.

Broader license support

We've added support for a much broader set of project licenses by using GitHub's Licenses API.

SPDX Compliance

All of our license-related code now expects SPDX-compliant licenses or expressions. This allows us to standardize on a license naming scheme that already supports OR/AND expressions.

Disable individual checks

You can now use the boolean options license-check and vulnerability-check to disable either one of the checks. More information in our configuration options.

Thanks

Contributors for this release include:

• @​cnagadya
• @​courtneycl
• @​ericcornelissen
• @​elireisman
• @​hmaurer

Thanks everyone!
Full Changelog: actions/dependency-review-action@v2...v3.0.0

v3

Compare Source

v2.5.1: 2.5.1

Compare Source

Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the scripts/scan_pr script using the -c/--config-file flags to use an external configuration file:

Example:

  scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294

v2.5.0: 2.5.0

Compare Source

Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.

v2.4.1: 2.4.1

Compare Source

This patch release fixes the bugs below:

• Display the dependency name instead of the manifest name in the detailed list of dependents.
• Fix an issue where undefined GHSAs would remove filter out all changes.

v2.4.0: 2.4.0

Compare Source

We've added a new configuration option:

• allow-ghsas: Specify a list of various GitHub Advisory IDs you want the action to skip and not fail on.

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          allow-ghsas: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'

v2.3.0: 2.3.0

Compare Source

We're adding back support for an external configuration file. You can use the config-file configuration string to specify a path to a YAML configuration file where you can specify any options you want:

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          - config-file: ./.github/dependency-review-config.yml

v2.2.0: 2.2.0

Compare Source

We've added a new configuration option:

• fail-on-scopes: Specify whether you want the action to fail on vulnerabilities or license restrictions in dependencies that are runtime, development, or both. By default the action will only fail on runtime dependencies.

v2.1.0: 2.1.0

Compare Source

This release includes a couple of new features (thanks @​WillDaSilva and @​tspascoal):

1. The Action now includes a summary of the vulnerabilities and licenses detected:

You can see a live example by visiting: https://github.com/future-funk/redesigned-custom-spood/actions/runs/2883016064

2. You can now use the Action in events different to pull_request. You just need to provide a head-sha and base-sha in your config file:

name: Dependency Review
  uses: actions/dependency-review-action@v2
  with:
    # You can pass any git refs here
    # base-ref: ${{ your_base_ref }}
    # head-ref: ${{ your_head_ref }}

v2.0.4: 2.0.4

Compare Source

The previous release did not include the right package.json, no major changes.

v2.0.3: 2.0.3

Compare Source

• Fixed a bug where removed changes were being inspected and reported as vulnerable (#​155, thanks @​kachick!)

v2.0.2: 2.0.2

[Compare Source](https://redirect.github.com/actions/dependency-review-action/co

✂ Note

PR body was truncated to here.