Created by: dependabot[bot]
Bumps actions/dependency-review-action from 2.4.0 to 3.0.0.
Release notes
Sourced from actions/dependency-review-action's releases.
3.0.0
Breaking Changes
By default the action now expects SPDX-compliant licenses everywhere. If you were previously using license names in the allow or deny lists make sure they're valid!
What's Changed
Support for external configuration files
You can now specify a configuration file external to your repository. This allows organizations to have a single configuration file for all their repos.
Broader license support
We've added support for a much broader set of project licenses by using GitHub's Licenses API.
SPDX Compliance
All of our license-related code now expects SPDX-compliant licenses or expressions. This allows us to standardize on a license naming scheme that already supports
OR/ANDexpressions.Disable individual checks
You can now use the boolean options
license-checkandvulnerability-checkto disable either one of the checks. More information in our configuration options.Thanks
Contributors for this release include:
Thanks everyone! Full Changelog: https://github.com/actions/dependency-review-action/compare/v2...v3.0.0
2.5.1
Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the
scripts/scan_prscript using the-c/--config-fileflags to use an external configuration file:Example:
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/2942.5.0
Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.
2.4.1
This patch release fixes the bugs below:
- Display the dependency name instead of the manifest name in the detailed list of dependents.
- Fix an issue where undefined GHSAs would remove filter out all changes.
Commits
-
30d5821Bumping version number -
6e42c33Remove defaults from the recently added fields. -
a3074cdMerge pull request #327 from actions/adding-extra-options -
51a29d6Updating action.yml to include*-checkconfig -
235a221Merge pull request #324 from actions/readme-update -
9b3a7f6Minor README tweaks. -
a476131Addpull_requestto the list of events that don't need refs. -
28c7c8cSet the correct default for license-check in README. -
9da0fd4Merge pull request #325 from actions/dependabot/npm_and_yarn/eslint-plugin-je... -
fe45fd6Merge pull request #326 from actions/dependabot/npm_and_yarn/esbuild-register... - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebasewill rebase this PR -
@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it -
@dependabot mergewill merge this PR after your CI passes on it -
@dependabot squash and mergewill squash and merge this PR after your CI passes on it -
@dependabot cancel mergewill cancel a previously requested merge and block automerging -
@dependabot reopenwill reopen this PR if it is closed -
@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)