Releases: dependabot/fetch-metadata
Releases · dependabot/fetch-metadata
v1.3.4
What's Changed
- Pin only to major version, not full patch version by @jeffwidman in #246
- Fix broken logo on readme by @jeffwidman in #253
- Bump action to use node16 by @quinnjn in #251
- Bump @typescript-eslint/eslint-plugin from 5.20.0 to 5.38.0 by @dependabot in #256
- Bump @actions/core from 1.6.0 to 1.9.1 by @dependabot in #242
- Bump eslint-config-standard from 16.0.3 to 17.0.0 by @dependabot in #214
- Bump @types/node from 17.0.25 to 18.7.18 by @dependabot in #255
- Bump @typescript-eslint/parser from 5.20.0 to 5.38.0 by @dependabot in #254
- Bump eslint from 8.13.0 to 8.23.1 by @dependabot in #259
- Bump nock from 13.2.4 to 13.2.9 by @dependabot in #260
- Bump yargs and @types/yargs by @dependabot in #261
- Bump eslint-plugin-promise from 6.0.0 to 6.0.1 by @dependabot in #263
- Bump dotenv from 16.0.0 to 16.0.2 by @dependabot in #262
- Bump @vercel/ncc from 0.33.4 to 0.34.0 by @dependabot in #264
- Bump @actions/github from 5.0.1 to 5.0.3 by @dependabot in #265
- Bump ts-node from 10.7.0 to 10.9.1 by @dependabot in #266
- Bump typescript from 4.6.3 to 4.8.3 by @dependabot in #257
- Bump yaml from 2.0.1 to 2.1.1 by @dependabot in #258
New Contributors
- @jeffwidman made their first contribution in #246
- @quinnjn made their first contribution in #251
Full Changelog: v1.3.3...v1.3.4
Contributors
jeffwidman, quinnjn, and dependabot
Assets 2
v1.3.3
Contributors
jsok
Assets 2
v1.3.2
v1.3.1
Highlights
This release is primarily catching up on our dependencies, but it also includes a few bug fixes:
- Correctly populate Dependabot Alert metadata when a manifest is located in the project root, thanks @SalimBensiali
- Add a workaround for a dependabot-core bug that causes the
update-typeto be blank occasionally, thanks @mwaddell
What's Changed
- If the
update-typeis missing for some reason, calculate it by @mwaddell in #173 - Updated readme to explain when you need to use a PAT by @mwaddell in #183
- Updated auto approve example to minimizing notifications by @mwaddell in #188
- Bump @types/node from 17.0.19 to 17.0.23 by @dependabot in #191
- Bump @types/jest from 27.4.0 to 27.4.1 by @dependabot in #168
- Fix incorrect vulnerable manifest path check by @SalimBensiali in #186
- Bump @types/yargs from 17.0.8 to 17.0.10 by @dependabot in #181
- Bump @typescript-eslint/parser from 5.12.1 to 5.17.0 by @dependabot in #194
- Bump eslint from 8.9.0 to 8.12.0 by @dependabot in #190
- Bump ts-node from 10.5.0 to 10.7.0 by @dependabot in #196
- Bump eslint from 8.12.0 to 8.13.0 by @dependabot in #198
- Bump typescript from 4.5.5 to 4.6.3 by @dependabot in #193
- Bump minimist from 1.2.5 to 1.2.6 by @dependabot in #204
- Bump yargs from 17.3.1 to 17.4.1 by @dependabot in #199
- Bump @typescript-eslint/parser from 5.17.0 to 5.20.0 by @dependabot in #202
- Bump @typescript-eslint/eslint-plugin from 5.12.1 to 5.20.0 by @dependabot in #203
- Dependabot updates run monthly and attempt to auto-compile dist/ by @brrygrdn in #205
- Bump @actions/github from 5.0.0 to 5.0.1 by @dependabot in #197
- Bump eslint-plugin-import from 2.25.4 to 2.26.0 by @dependabot in #207
- Bump @types/node from 17.0.23 to 17.0.25 by @dependabot in #208
- Bump @vercel/ncc from 0.33.3 to 0.33.4 by @dependabot in #209
- Bump yaml from 1.10.2 to 2.0.1 by @dependabot in #206
New Contributors
- @SalimBensiali made their first contribution in #186
Full Changelog: v1.3.0...v1.3.1
Contributors
SalimBensiali, mwaddell, and 2 other contributors
Assets 2
v1.3.0 - Fetch additional metadata via the GitHub API
Highlights
🆕 Fetch additional metadata about Dependabot commits
You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.
Example:
-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Fetch Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1.3.0
with:
alert-lookup: true
compat-lookup: trueThe flags enable the following new outputs:
steps.dependabot-metadata.outputs.alert-state- If this PR is associated with a security alert and
alert-lookupistrue, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
- If this PR is associated with a security alert and
steps.dependabot-metadata.outputs.ghsa-id- If this PR is associated with a security alert and
alert-lookupistrue, this contains the GHSA-ID of that alert.
- If this PR is associated with a security alert and
steps.dependabot-metadata.outputs.cvss- If this PR is associated with a security alert and
alert-lookupistrue, this contains the CVSS value of that alert (otherwise it contains 0).
- If this PR is associated with a security alert and
steps.dependabot-metadata.outputs.compatibility-score- If this PR has a known compatibility score and
compat-lookupistrue, this contains the compatibility score (otherwise it contains 0).
- If this PR has a known compatibility score and
Many thanks to @mwaddell for contributing these additional flags 🥇
The Action no longer fails if other commits are present
We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.
Thanks for the feedback, and thanks @mwaddell for contributing the change.
The Action defaults to using the GITHUB_TOKEN
This makes us consistent with other GitHub Actions such as actions/checkout in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.
Thanks @jablko for contributing this change 🏆
What's Changed
- Flag security alerts and pass versions through by @mwaddell in #144
- Updated
bump-versionto update README.md as well by @mwaddell in #163 - Updated README to reference correct version by @mwaddell in #165
- Allow fetch-metadata to run on a PR even if it has additional commits… by @mwaddell in #166
- Default github-token by @jablko in #83
- Return compatibility score by @mwaddell in #146
New Contributors
Full Changelog: v1.2.1...v1.3.0
Contributors
jablko and mwaddell
Assets 2
v1.2.1 - Workflows may be re-ran by someone other than Dependabot
Highlights:
- Check the PR author instead of the Action Actor so failed
fetch-metadataworkflows can be retried, thanks @mwaddell! - Catch up on our dependency updates 😅
What's Changed
- Check PR Author instead of Action Actor by @mwaddell in #137
- Updated README to list supported
dependency-typevalues by @mwaddell in #145 - Bump yargs from 17.0.1 to 17.3.1 by @dependabot in #126
- Bump eslint-plugin-import from 2.23.4 to 2.25.4 by @dependabot in #129
- Bump ts-node from 10.1.0 to 10.5.0 by @dependabot in #142
- Bump @types/node from 16.4.10 to 17.0.19 by @dependabot in #147
- Bump @typescript-eslint/parser from 4.29.0 to 4.33.0 by @dependabot in #149
- Bump @types/jest from 26.0.24 to 27.4.0 by @dependabot in #151
- Bump @vercel/ncc from 0.29.0 to 0.33.3 by @dependabot in #148
- Bump @typescript-eslint/eslint-plugin from 4.29.0 to 4.33.0 by @dependabot in #152
- Bump @types/yargs from 17.0.2 to 17.0.8 by @dependabot in #153
- Bump nock from 13.1.1 to 13.2.4 by @dependabot in #154
- Bump tmpl from 1.0.4 to 1.0.5 by @dependabot in #160
- Bump node-fetch from 2.6.1 to 2.6.7 by @dependabot in #159
- Bump eslint-plugin-promise from 5.1.0 to 6.0.0 by @dependabot in #158
- Bump dotenv from 10.0.0 to 16.0.0 by @dependabot in #156
- Bump @actions/core from 1.4.0 to 1.6.0 by @dependabot in #155
- Bump typescript from 4.3.5 to 4.5.5 by @dependabot in #157
- Bump eslint from 7.32.0 to 8.9.0 by @dependabot in #150
Full Changelog: v1.2.0...v1.2.1
Contributors
mwaddell and dependabot
Assets 2
v1.2.0 - Updated outputs
Contributors
mwaddell and brrygrdn
Assets 2
v1.1.1 - Bump @actions/core
This release updates @actions/core from v1.3.0 to v1.4.0
All other changes are dev or build related.
Initial release of Dependabot's `fetch-metadata` action
Extract information about the dependencies being updated by a Dependabot-generated PR.