2.5.1

Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the scripts/scan_pr script using the -c/--config-file flags to use an external configuration file:

Example:

  scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294

2.5.0

Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.

2.4.1

This patch release fixes the bugs below:

• Display the dependency name instead of the manifest name in the detailed list of dependents.
• Fix an issue where undefined GHSAs would remove filter out all changes.

2.4.0

We've added a new configuration option:

• allow-ghsas: Specify a list of various GitHub Advisory IDs you want the action to skip and not fail on.

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          allow-ghsas: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'

2.3.0

We're adding back support for an external configuration file. You can use the config-file configuration string to specify a path to a YAML configuration file where you can specify any options you want:

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with: 
          - config-file: ./.github/dependency-review-config.yml

2.2.0

We've added a new configuration option:

• fail-on-scopes: Specify whether you want the action to fail on vulnerabilities or license restrictions in dependencies that are runtime, development, or both. By default the action will only fail on runtime dependencies.

2.1.0

This release includes a couple of new features (thanks @WillDaSilva and @tspascoal):

1. The Action now includes a summary of the vulnerabilities and licenses detected:

You can see a live example by visiting: https://github.com/future-funk/redesigned-custom-spood/actions/runs/2883016064

2. You can now use the Action in events different to pull_request. You just need to provide a head-sha and base-sha in your config file:

name: Dependency Review
  uses: actions/dependency-review-action@v2
  with:
    # You can pass any git refs here
    # base-ref: ${{ your_base_ref }}
    # head-ref: ${{ your_head_ref }}

2.0.4

The previous release did not include the right package.json, no major changes.

2.0.3

• Fixed a bug where removed changes were being inspected and reported as vulnerable (#155, thanks @kachick!)

2.0.2

• Fixes a small formatting error in the output of unknown licenses.