Releases: actions/dependency-review-action
Releases · actions/dependency-review-action
v4.7.1
- Packages added to
allow-dependencies-licenseswill be allowed even if the package in question has no license information #889 - License expressions (e.g.
Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g.Ruby)
v4.7.0
- Handle complex license expressions (e.g.
MIT AND GPL-2.0) in allow lists (fixes #809 and probably others) - Replace
OTHERin package licenses withLicenseRef-clearlydefined-OTHERso that parsing passes
v4.6.0
What's Changed
- Updating multiple dependency versions by @Ahmed3lmallah in #870
- Grouping minor and patch dependabot updates to lessen the number of PRs by @Ahmed3lmallah in #876
- Bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in #878
- Bump undici from 5.28.4 to 5.28.5 by @dependabot in #877
- DR Action should link to the proxima stamp when appropriate in error messages by @AshelyTC in #891
- Allow deny package removal by @ellenfieldn in #888
- Fix typos by @omahs in #893
- Bump esbuild from 0.19.5 to 0.25.0 by @dependabot in #900
- Bump octokit and related dependencies by @RomanIakovlev in #904
- Bump @babel/helpers from 7.23.2 to 7.26.10 by @dependabot in #905
- Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @dependabot in #899
- Update transitive dependency spdx-license-ids by @ailox in #855
- To not print OpenSSF Scorecard section if no dependencies scanned by @fabasoad in #884
- Improve usage of this action in dependency-review.yml by @fabasoad in #883
- Clarify comment-summary-in-pr behaviour by @Pantelis-Santorinios in #902
- Prepare 4.6.0 Release candidate by @brrygrdn in #910
New Contributors
- @AshelyTC made their first contribution in #891
- @ellenfieldn made their first contribution in #888
- @omahs made their first contribution in #893
- @RomanIakovlev made their first contribution in #904
- @ailox made their first contribution in #855
- @fabasoad made their first contribution in #884
- @Pantelis-Santorinios made their first contribution in #902
- @brrygrdn made their first contribution in #910
Full Changelog: v4.5.0...v4.6.0
Contributors
brrygrdn, ellenfieldn, and 8 other contributors
Assets 2
v4.5.0
What's Changed
- Bump got from 14.4.2 to 14.4.3 by @dependabot in #844
- Bump nodemon from 3.1.0 to 3.1.7 by @dependabot in #847
- Bump @vercel/ncc from 0.38.1 to 0.38.3 by @dependabot in #849
- Overriding the cross-spawn dependency to use a safe version by @Ahmed3lmallah in #850
- fix: add summary comment on failure when warn-only: true by @ebickle in #827
- Prepare for 4.5.0 release by @Ahmed3lmallah in #851
New Contributors
Full Changelog: v4...v4.5.0
Contributors
ebickle, dependabot, and Ahmed3lmallah
Assets 2
v4.4.0
What's Changed
- Fix for merge_group event bug by @Ahmed3lmallah in #846
Full Changelog: v4.3.5...v4.4.0
Contributors
Ahmed3lmallah
Assets 2
v4.3.5
What's Changed
- fix: getRefs function to handle merge_group events by @louis-bompart in #766
- Create pull_request_template.md by @jonjanego in #794
- Update CONTRIBUTING.md by @jonjanego in #793
- Bump @types/node from 20.11.28 to 20.16.0 by @dependabot in #815
- Upgrade transitive micromatch library by @elireisman in #829
- Do not list changed dependencies in summary by @hmaurer in #828
- Update stale.yaml by @jonjanego in #832
- Bump got from 14.4.1 to 14.4.2 by @dependabot in #822
- Bump eslint-plugin-jest and ts-jest by @Ahmed3lmallah in #840
New Contributors
- @louis-bompart made their first contribution in #766
- @Ahmed3lmallah made their first contribution in #840
Full Changelog: v4.3.4...v4.3.5
Contributors
hmaurer, jonjanego, and 4 other contributors
Assets 2
v4.3.4
What's Changed
- Include all added dependencies in scorecard entries by @elireisman in #783
- Update SPDX Expression Parsing by @febuiles in #719
- This PR is a significant refactor of SPDX expression parsing that may fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version.
Full Changelog: v4.3.3...v4.3.4
Contributors
febuiles and elireisman
Assets 2
Notes for v4.3.3
What's Changed
- Allow slashes in purl package names by @juxtin in #765
- use the v3 version of the deps.dev API by @josieang in #741
- PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @am-stead in #773
- fix show-openssf-scorecard-levels input by @ramann in #776
- Updates to the contribution guidelines by @jonjanego in #778
- Create issue templates by @jonjanego in #777
- Fix the max comment length issue by @jhutchings1 and @elireisman in #767
- Bump project version to 4.3.3 in prep for a release by @elireisman in #781
New Contributors
- @josieang made their first contribution in #741
- @am-stead made their first contribution in #773
- @ramann made their first contribution in #776
Full Changelog: v4.3.2...v4.3.3
Contributors
jonjanego, juxtin, and 5 other contributors
Assets 2
v4.3.2
What's Changed
Full Changelog: v4.3.1...v4.3.2
Contributors
juxtin
Assets 2
v4.3.1
What's Changed
This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See #753.
Full Changelog: V4.3.0...v4.3.1