Skip to content

Commit

Permalink
Downgrade dependency-review-action to version 4.3.3, where SPDX expre…
Browse files Browse the repository at this point in the history
…ssions are handled as exact strings.
  • Loading branch information
carstingaxion committed Aug 14, 2024
1 parent 287f497 commit 66d16af
Showing 1 changed file with 11 additions and 1 deletion.
12 changes: 11 additions & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,18 @@ jobs:
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4

- name: Dependency Review
uses: actions/dependency-review-action@v4
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # Version 4.3.3 # https://github.com/actions/dependency-review-action/releases/tag/v4.3.3
# Version 4.3.4 does not work with invalid license names in the config and since that version,
# SPDX expression licenses are considered invalid (see: https://github.com/actions/dependency-review-action/issues/792).
# In short, remove all SPDX expressions from the config!
#
# Note that if you have packages that use SPDX expressions, this will report them as invalid,
# as support is not yet implemented (see: https://github.com/actions/dependency-review-action/issues/263).
#
# In that case you need to downgrade to version 4.3.3 where SPDX expressions are handled as exact strings !!
# @source https://github.com/actions/dependency-review-action/issues/809#issuecomment-2285930024
with:
license-check: true
vulnerability-check: false
Expand Down

0 comments on commit 66d16af

Please sign in to comment.