Search code, repositories, users, issues, pull requests...

What's Changed

(bug) Fix spamming link test in deprecation warning (again) by @ahpook in #1000
Bump version for 4.8.1 release by @ahpook in #1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

`v4.8.0`

What's Changed

Make Ruby Code Scannable by @ljones140 in #978
Batch some contributions for release by @brrygrdn in #986
- Make license lists collapsable by @jasperkamerling
- feat: add large summary handling with artifact upload by @MattMencel

New Contributors

@ljones140 made their first contribution in #978
@jasperkamerling made their first contribution in #986
@MattMencel made their first contribution in #986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

`v4.7.4`

`v4.7.3`: 4.7.3

What's Changed

Add explicit permissions to workflow files by @AshelyTC in #966
Claire153/fix spamming mentioned issue by @claire153 in #974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

`v4.7.2`: 4.7.2

What's Changed

Add Missing Languages to CodeQL Advanced Configuration by @KyFaSt in #945
Deprecate deny lists by @claire153 in #958
Address discrepancy between docs and reality by @ahpook in #960

New Contributors

@KyFaSt made their first contribution in #945
@claire153 made their first contribution in #958
@ahpook made their first contribution in #960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

`v4.7.1`

Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #889
License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

`v4.7.0`

Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)
Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

`v4.6.0`

What's Changed

Updating multiple dependency versions by @Ahmed3lmallah in #870
Grouping minor and patch dependabot updates to lessen the number of PRs by @Ahmed3lmallah in #876
Bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in #878
Bump undici from 5.28.4 to 5.28.5 by @dependabot in #877
DR Action should link to the proxima stamp when appropriate in error messages by @AshelyTC in #891
Allow deny package removal by @ellenfieldn in #888
Fix typos by @omahs in #893
Bump esbuild from 0.19.5 to 0.25.0 by @dependabot in #900
Bump octokit and related dependencies by @RomanIakovlev in #904
Bump @babel/helpers from 7.23.2 to 7.26.10 by @dependabot in #905
Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @dependabot in #899
Update transitive dependency spdx-license-ids by @ailox in #855
To not print OpenSSF Scorecard section if no dependencies scanned by @fabasoad in #884
Improve usage of this action in dependency-review.yml by @fabasoad in #883
Clarify comment-summary-in-pr behaviour by @Pantelis-Santorinios in #902
Prepare 4.6.0 Release candidate by @brrygrdn in #910

New Contributors

@AshelyTC made their first contribution in #891
@ellenfieldn made their first contribution in #888
@omahs made their first contribution in #893
@RomanIakovlev made their first contribution in #904
@ailox made their first contribution in #855
@fabasoad made their first contribution in #884
@Pantelis-Santorinios made their first contribution in #902
@brrygrdn made their first contribution in #910

Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0

`v4.5.0`

What's Changed

Bump got from 14.4.2 to 14.4.3 by @dependabot in #844
Bump nodemon from 3.1.0 to 3.1.7 by @dependabot in #847
Bump @vercel/ncc from 0.38.1 to 0.38.3 by @dependabot in #849
Overriding the cross-spawn dependency to use a safe version by @Ahmed3lmallah in #850
fix: add summary comment on failure when warn-only: true by @ebickle in #827
Prepare for 4.5.0 release by @Ahmed3lmallah in #851

New Contributors

@ebickle made their first contribution in #827

Full Changelog: actions/dependency-review-action@v4...v4.5.0

`v4.4.0`

What's Changed

Fix for merge_group event bug by @Ahmed3lmallah in #846

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

`v4.3.5`

What's Changed

fix: getRefs function to handle merge_group events by @louis-bompart in #766
Create pull_request_template.md by @jonjanego in #794
Update CONTRIBUTING.md by @jonjanego in #793
Bump @types/node from 20.11.28 to 20.16.0 by @dependabot in #815
Upgrade transitive micromatch library by @elireisman in #829
Do not list changed dependencies in summary by @hmaurer in #828
Update stale.yaml by @jonjanego in #832
Bump got from 14.4.1 to 14.4.2 by @dependabot in #822
Bump eslint-plugin-jest and ts-jest by @Ahmed3lmallah in #840

New Contributors

@louis-bompart made their first contribution in #766
@Ahmed3lmallah made their first contribution in #840

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

`v4.3.4`

What's Changed

Include all added dependencies in scorecard entries by @elireisman in #783
Update SPDX Expression Parsing by @febuiles in #719
- This PR is a significant refactor of SPDX expression parsing that may fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version.

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

`v4.3.3`: Notes for v4.3.3

What's Changed

Allow slashes in purl package names by @juxtin in #765
use the v3 version of the deps.dev API by @josieang in #741
PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @am-stead in #773
fix show-openssf-scorecard-levels input by @ramann in #776
Updates to the contribution guidelines by @jonjanego in #778
Create issue templates by @jonjanego in #777
Fix the max comment length issue by @jhutchings1 and @elireisman in #767
Bump project version to 4.3.3 in prep for a release by @elireisman in #781

New Contributors

@josieang made their first contribution in #741
@am-stead made their first contribution in #773
@ramann made their first contribution in #776

Full Changelog: actions/dependency-review-action@v4.3.2...v4.3.3

`v4.3.2`

What's Changed

Fix package-url parsing for allow-dependencies-licenses by @juxtin in #761

Full Changelog: actions/dependency-review-action@v4.3.1...v4.3.2

`v4.3.1`

What's Changed

This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See #753.

Full Changelog: actions/dependency-review-action@V4.3.0...v4.3.1

`v4.3.0`

New Features

The deny-packages option can now be used without a version number to exclude all versions of a package.

What's Changed

Fix action variable name for scorecard by @lukehinds in #735
Fix extra https:// in summary by @jhutchings1 in #748
Bump typescript from 5.3.3 to 5.4.5 by @dependabot in #744
Bump eslint-plugin-github from 4.10.1 to 4.10.2 by @dependabot in #737
Show denied packages with red X by @juxtin in #750
deny-packages configuration option can deny specified version or all packages by @febuiles and @bteng22 in #733

New Contributors

@bteng22 made their first contribution in #733
@lukehinds made their first contribution in #735

Full Changelog: actions/dependency-review-action@v4.2.5...V4.3.0

`v4.2.5`: 4.2.5

What's Changed

Fixed a bug where some configuration options in external files were not being properly picked up -- #722
Bump eslint from 8.56.0 to 8.57.0

Full Changelog: actions/dependency-review-action@v4.2.4...v4.2.5

`v4.2.4`

What's Changed

Fixed a bug in the output of OpenSSF cards for GitHub Actions.

New Contributors

@sporkmonger made their first contribution in #721

Full Changelog: actions/dependency-review-action@v4.2.3...v4.2.4

`v4.2.3`: 4.2.3

What's Changed

Set comment as output by @jsoref in #698
Add support for calculating OpenSSF Scorecards by @jhutchings1 in #709
Add outputs for the changes data by @laughedelic in #707

New Contributors

@jhutchings1 made their first contribution in #709
@laughedelic made their first contribution in #707

Full Changelog: actions/dependency-review-action@v4.1.3...v4.2.3

`v4.1.3`: 4.1.3

Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see #697).

Full Changelog: actions/dependency-review-action@v4.1.2...v4.1.3

`v4.1.2`: 4.1.2

What's Changed

Expose dependency comment content by @jsoref in #696

Full Changelog: actions/dependency-review-action@v4.1.1...v4.1.2

`v4.1.1`: 4.1.1

What's Changed

Bump undici to fix GHSA-wqq4-5wpv-mx2g
Bump @types/node from 20.11.17 to 20.11.19 by @dependabot in #693

Full Changelog: actions/dependency-review-action@v4.1.0...v4.1.1

`v4.1.0`: 4.1.0

What's Changed

Add warn-only by @tgrall in #432

Added a new configuration option (warn-only, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log.

Create stale.yaml by @jonjanego in #671
Use manual codeql config by @juxtin in #678
Multiple dependency updates (see the changelog below for more information)

New Contributors

@jonjanego made their first contribution in #671
@tgrall made their first contribution in #432

Full Changelog: actions/dependency-review-action@v4...v4.1.0

`v4.0.0`

Update action to Node 20 by @takost in #639
Dependabot updates, see the full changelog for more details.

New Contributors

@takost made their first contribution in #639

Full Changelog: actions/dependency-review-action@v3.1.5...v4.0.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sonarqubecloud · 2024-03-26T07:44:01Z

Quality Gate passed

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

sonarqubecloud · 2024-04-30T19:18:11Z

Quality Gate passed

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

sonarqubecloud · 2024-06-05T23:08:54Z

Quality Gate passed

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

sonarqubecloud · 2024-07-11T21:54:50Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2024-11-20T23:00:02Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-04-01T12:00:53Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-05-13T17:43:59Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-10-10T22:01:59Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code