Releases: actions/dependency-review-action
Releases · actions/dependency-review-action
Dependency Review Action 4.9.0
This feature release contains a couple of notable changes:
- There is a new configuration option
show_patched_versionswhich will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz! - Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @jantiebot!
- There are a couple of fixes to purl parsing which should improve match accuracy for
allow-package-dependencylists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!
What's Changed
- Compare normalized purls to account for encoding quirks by @juxtin in #1056
- Make purl comparisons case insensitive by @juxtin in #1057
- Feat: Add
Patched VersiontoVulnerabilitiessummary by @felickz in #1045 - fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @jantiebot in #1060
- Bump actions/stale from 10.1.0 to 10.2.0 by @dependabot[bot] in #1058
- Bump actions/checkout from 4 to 6 by @dependabot[bot] in #1021
- Updates for release 4.9.0 by @ahpook in #1064
New Contributors
- @jantiebot made their first contribution in #1060
Full Changelog: v4.8.3...v4.9.0
Contributors
ahpook, felickz, and 3 other contributors
Assets 2
4.8.3
Dependency Review Action v4.8.3
This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.
We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.
What's Changed
- GitHub Actions can't push to our protected main by @dangoor in #1017
- Bump actions/stale from 9.1.0 to 10.1.0 by @dependabot[bot] in #995
- Bump github/codeql-action from 3 to 4 by @dependabot[bot] in #1003
- Bump actions/setup-node from 4 to 6 by @dependabot[bot] in #1005
- Upgrade glob to address a vulnerability by @brrygrdn in #1024
- Bump js-yaml by @dependabot[bot] in #1020
- Addressing vulnerabilities by @Ahmed3lmallah in #1036
- Bump fast-xml-parser from 5.3.3 to 5.3.5 by @dependabot[bot] in #1050
- Bump fast-xml-parser from 5.3.5 to 5.3.6 by @dependabot[bot] in #1053
- Properly truncate long summaries and catch errors by @juxtin in #1052
- Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @dependabot[bot] in #931
- Changes for Release 4.8.3 by @ahpook in #1054
Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3
Contributors
dangoor, ahpook, and 4 other contributors
Assets 2
v4.8.2
Minor fixes:
- Fix PURL parsing for scoped packages (#1008 from @danielhardej)
- Fix for large summaries (#1007 from @gitulisca)
- README includes a working example for allow-dependencies-licenses (#1009 from @danielhardej)
Contributors
danielhardej and gitulisca
Assets 2
Dependency Review Action v4.8.1
What's Changed
- (bug) Fix spamming link test in deprecation warning (again) by @ahpook in #1000
- Bump version for 4.8.1 release by @ahpook in #1001
Full Changelog: v4...v4.8.1
Contributors
ahpook
Assets 2
v4.8.0
What's Changed
- Make Ruby Code Scannable by @ljones140 in #978
- Batch some contributions for release by @brrygrdn in #986
- Make license lists collapsable by @jasperkamerling
- feat: add large summary handling with artifact upload by @MattMencel
New Contributors
- @ljones140 made their first contribution in #978
- @jasperkamerling made their first contribution in #986
- @MattMencel made their first contribution in #986
Full Changelog: v4...v4.8.0
Contributors
MattMencel, brrygrdn, and 2 other contributors
Assets 2
4.7.3
What's Changed
- Add explicit permissions to workflow files by @AshelyTC in #966
- Claire153/fix spamming mentioned issue by @claire153 in #974
Full Changelog: v4...v4.7.3
Contributors
AshelyTC and claire153
Assets 2
4.7.2
What's Changed
- Add Missing Languages to CodeQL Advanced Configuration by @KyFaSt in #945
- Deprecate deny lists by @claire153 in #958
- Address discrepancy between docs and reality by @ahpook in #960
New Contributors
- @KyFaSt made their first contribution in #945
- @claire153 made their first contribution in #958
- @ahpook made their first contribution in #960
Full Changelog: v4...v4.7.2
Contributors
ahpook, KyFaSt, and claire153
Assets 2
v4.7.1
- Packages added to
allow-dependencies-licenseswill be allowed even if the package in question has no license information #889 - License expressions (e.g.
Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g.Ruby)
v4.7.0
- Handle complex license expressions (e.g.
MIT AND GPL-2.0) in allow lists (fixes #809 and probably others) - Replace
OTHERin package licenses withLicenseRef-clearlydefined-OTHERso that parsing passes
v4.6.0
What's Changed
- Updating multiple dependency versions by @Ahmed3lmallah in #870
- Grouping minor and patch dependabot updates to lessen the number of PRs by @Ahmed3lmallah in #876
- Bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in #878
- Bump undici from 5.28.4 to 5.28.5 by @dependabot in #877
- DR Action should link to the proxima stamp when appropriate in error messages by @AshelyTC in #891
- Allow deny package removal by @ellenfieldn in #888
- Fix typos by @omahs in #893
- Bump esbuild from 0.19.5 to 0.25.0 by @dependabot in #900
- Bump octokit and related dependencies by @RomanIakovlev in #904
- Bump @babel/helpers from 7.23.2 to 7.26.10 by @dependabot in #905
- Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @dependabot in #899
- Update transitive dependency spdx-license-ids by @ailox in #855
- To not print OpenSSF Scorecard section if no dependencies scanned by @fabasoad in #884
- Improve usage of this action in dependency-review.yml by @fabasoad in #883
- Clarify comment-summary-in-pr behaviour by @Pantelis-Santorinios in #902
- Prepare 4.6.0 Release candidate by @brrygrdn in #910
New Contributors
- @AshelyTC made their first contribution in #891
- @ellenfieldn made their first contribution in #888
- @omahs made their first contribution in #893
- @RomanIakovlev made their first contribution in #904
- @ailox made their first contribution in #855
- @fabasoad made their first contribution in #884
- @Pantelis-Santorinios made their first contribution in #902
- @brrygrdn made their first contribution in #910
Full Changelog: v4.5.0...v4.6.0
Contributors
brrygrdn, ellenfieldn, and 8 other contributors