![]() ![]() The previous option for dependency review in a pull request (rich diff) Making this a required status check How To I think this is much better than the prior option for finding/preventing vulnerable dependencies in a pull request: This will cause the action to fail since there are several vulnerabilities in this version of tar:ĭependency Review Action preventing a pull request with a vulnerable dependency added To try this at home, you can attempt to "tar": "2.2.2" to the dependencies section of your package.json file. Name : ' Dependency Review' on : jobs : dependency-review : runs-on : ubuntu-latest steps : - name : ' Checkout Repository' uses : - name : ' Dependency Review' uses : Results The action is relatively simple (no inputs as of yet) - and here’s some additional documentation. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. The dependency review action is available for use in public repositories. Note that the new Dependency Review action still requires a GitHub Advanced Security license, as mentioned in the GitHub Changelog blog post: The previous solution to this was the Dependency Review (rich diff) in a pull request, but this was slightly hidden and there was no enforcement capabilities. As a result, you aren’t alerted that you are adding a vulnerable package until after you have already merged to the default branch. GitHub has added a new Dependency Review action to help keep vulnerable dependencies out of your repository! One of the complaints with the way Dependabot Security Alerts works in GitHub is that it only works from the default branch.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |