Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: actions/dependency-review-action
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v4.7.0
Choose a base ref
...
head repository: actions/dependency-review-action
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v4.7.1
Choose a head ref
  • 9 commits
  • 6 files changed
  • 1 contributor

Commits on May 8, 2025

  1. Allowing dependencies works with no licenses 

    When using the `allow-dependencies-licenses` option, the packages listed
there should be allowed even if they have no license. This wasn't
working because the filtering for allowed dependencies was done
specifically on the list of packages that had licenses, leaving a
separate list (unfiltered) for packages with no licenses. With this
change, we filter out any changes for packages that have been allowed
_before_ we retrieve licenses.

Fixes #889
    @dangoor
    dangoor committed May 8, 2025
    Configuration menu
    Copy the full SHA
    f199659 View commit details
    Browse the repository at this point in the history

  2. Update build

    @dangoor
    dangoor committed May 8, 2025
    Configuration menu
    Copy the full SHA
    9b155d6 View commit details
    Browse the repository at this point in the history

  3. Check namespaces when excluding license checks 

    The `allow-dependencies-licenses` option was not checking the namespace
part of the PURL to make sure it matched.
    @dangoor
    dangoor committed May 8, 2025
    Configuration menu
    Copy the full SHA
    34486f3 View commit details
    Browse the repository at this point in the history

  4. Update build

    @dangoor
    dangoor committed May 8, 2025
    Configuration menu
    Copy the full SHA
    014300b View commit details
    Browse the repository at this point in the history

  5. Merge pull request #930 from actions/889-allow-no-license 

    Allowing dependencies works with no licenses
    @dangoor
    dangoor authored May 8, 2025
    Configuration menu
    Copy the full SHA
    8805179 View commit details
    Browse the repository at this point in the history

Commits on May 12, 2025

  1. Discard allow list entries that are not SPDX IDs 

    The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907
    @dangoor
    dangoor committed May 12, 2025
    Configuration menu
    Copy the full SHA
    6e9307a View commit details
    Browse the repository at this point in the history

Commits on May 13, 2025

  1. Merge pull request #932 from actions/907-disallow-expression 

    Discard allow list entries that are not SPDX IDs
    @dangoor
    dangoor authored May 13, 2025
    Configuration menu
    Copy the full SHA
    d8f2df2 View commit details
    Browse the repository at this point in the history

  2. Bump version number for 4.7.1

    @dangoor
    dangoor committed May 13, 2025
    Configuration menu
    Copy the full SHA
    9af0caf View commit details
    Browse the repository at this point in the history

  3. Merge pull request #933 from actions/dangoor/471-release 

    Bump version number for 4.7.1
    @dangoor
    dangoor authored May 13, 2025
    Configuration menu
    Copy the full SHA
    da24556 View commit details
    Browse the repository at this point in the history
Loading