Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: bump actions/dependency-review-action from 1 to 2.5.0 #463

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 14, 2022

Bumps actions/dependency-review-action from 1 to 2.5.0.

Release notes

Sourced from actions/dependency-review-action's releases.

2.5.0

Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.

2.4.1

This patch release fixes the bugs below:

  • Display the dependency name instead of the manifest name in the detailed list of dependents.
  • Fix an issue where undefined GHSAs would remove filter out all changes.

2.4.0

We've added a new configuration option:

  • allow-ghsas: Specify a list of various GitHub Advisory IDs you want the action to skip and not fail on.
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          allow-ghsas: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'

2.3.0

We're adding back support for an external configuration file. You can use the config-file configuration string to specify a path to a YAML configuration file where you can specify any options you want:

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          - config-file: ./.github/dependency-review-config.yml

2.2.0

We've added a new configuration option:

  • fail-on-scopes: Specify whether you want the action to fail on vulnerabilities or license restrictions in dependencies that are runtime, development, or both. By default the action will only fail on runtime dependencies.

2.1.0

This release includes a couple of new features (thanks @​WillDaSilva and @​tspascoal):

  1. The Action now includes a summary of the vulnerabilities and licenses detected:

... (truncated)

Commits
  • fd675ce v2.5.0 release
  • f7d03d8 Merge pull request #284 from actions/cn/license-api-fallback
  • 7e41a6f Removing unnecessary beforeAll block
  • 4c0961e Add tests for GitHub License API fallback
  • d1e9a12 Resolve conflicts
  • 2e3713a Optimise setGHLicenses
  • ba9d7c1 Retrieve null licenses from licenses API
  • 0cd2781 Merge pull request #286 from actions/dependabot/npm_and_yarn/ansi-styles-6.2.1
  • 129f0ad adding dist
  • 0a88a47 Bump ansi-styles from 6.2.0 to 6.2.1
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 1 to 2.5.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@v1...v2.5.0)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@codecov
Copy link

codecov bot commented Oct 14, 2022

Codecov Report

Base: 100.00% // Head: 100.00% // No change to project coverage 👍

Coverage data is based on head (64ecf71) compared to base (30b03b3).
Patch has no changes to coverable lines.

Additional details and impacted files
@@            Coverage Diff            @@
##              main      #463   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            5         5           
  Lines          105       105           
  Branches        14        14           
=========================================
  Hits           105       105           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@peaceiris peaceiris merged commit 6afdaef into main Oct 14, 2022
@peaceiris peaceiris deleted the dependabot/github_actions/actions/dependency-review-action-2.5.0 branch October 14, 2022 02:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant