Skip to content

Dependency Review Action 4.9.0

Latest
Marketplace
Latest
Marketplace

Choose a tag to compare

View all tags
@ahpook ahpook released this 03 Mar 22:21
· 3 commits to main since this release
v4.9.0
2031cfc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This feature release contains a couple of notable changes:

  • There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz!
  • Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @jantiebot!
  • There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!

What's Changed

  • Compare normalized purls to account for encoding quirks by @juxtin in #1056
  • Make purl comparisons case insensitive by @juxtin in #1057
  • Feat: Add Patched Version to Vulnerabilities summary by @felickz in #1045
  • fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @jantiebot in #1060
  • Bump actions/stale from 10.1.0 to 10.2.0 by @dependabot[bot] in #1058
  • Bump actions/checkout from 4 to 6 by @dependabot[bot] in #1021
  • Updates for release 4.9.0 by @ahpook in #1064

New Contributors

Full Changelog: v4.8.3...v4.9.0

Contributors

ahpook, felickz, and 3 other contributors
Assets 2
Loading