Description
Describe the bug
I have several repositories in the organization that are having problems with some packages, especially from NPM.
For example, in the @primeng/themes library (https://github.com/primefaces/primeng/blob/master/packages/themes/package.json), the value "SEE LICENSE IN LICENSE.md" is detected, which is an accepted value by NPM (https://docs.npmjs.com/cli/v10/configuring-npm/package-json?v=true#license), but Dependency Review does not mark it as unknown as it does with those it does not detect; instead, it marks it as an invalid value and blocks the flow.
In addition, even if we put that library in the 'allow-dependencies-licenses' field, Dependency Review ignores or does not apply that configuration and continues to block the flow.
It does not seem like good behavior to mark unknown packages as warnings and yet, packages with a manageable value block the flow and additionally block it even though they are on the whitelist.
To Reproduce
- Create or have a repository with a package.json that includes the @primeng/themes library.
- Disponer de un workflow para ejecutar Dependency Review cuyo paso principal sea similar a este:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
deny-licenses: GPL-2.0, GPL-3.0, AGPL-3.0, MPL-2.0-no-copyleft-exception, EPL-1.0
allow-dependencies-licenses: 'pkg:npm/@primeng/themes'
show-openssf-scorecard: false
- View the execution results and check that the lock occurs.
Expected behavior
Regardless of whether the tool should manage the value "SEE LICENSE IN LICENSE.md" (which from our perspective it should at least manage because it is an accepted value in the package.json file), at the very least, if the library is on the list of accepted ones, it should allow the flow to proceed and not block it.
Screenshots
Action version
v4 (that points to the latest version v4.7.1)