Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Dependency Review Action #5434

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Dependency Review Action #5434

wants to merge 1 commit into from

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Feb 2, 2024
edited
Loading

Main Changes

This GitHub action will add an additional check when a PR is created in the project and will review any change in the dependencies (cda07fd).

This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
Source repository

Overall, this will prevent us to introduce vulnerable dependencies versions without the need to manually check that.

Impact in the OSSF Scorecard

Screenshot 2024-02-02 at 17 14 02

Note that our current score is 10/10, so this is a preventive measurement.

Context

Changelog

@UlisesGascon UlisesGascon marked this pull request as ready for review February 2, 2024 16:18
inigomarquinez
inigomarquinez reviewed Mar 17, 2024
View reviewed changes
Copy link
Member

@inigomarquinez inigomarquinez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested latest versions of pinned dependencies

.github/workflows/dependency-review.yml
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.github/workflows/dependency-review.yml
- name: 'Checkout Repository'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3

@wesleytodd
Copy link
Member

I would strongly prefer we use Socket if these two are things which overlap (which I think there is). I was going to start a thread about this but with all the moving parts I had not had a chance yet. Am I wrong that there is overlap and that Socket would provide the same things we want out of this (and way more)?

@UlisesGascon UlisesGascon mentioned this pull request Apr 16, 2024
Open
@UlisesGascon UlisesGascon added the semver-ignore This change does not have any impact in semver (docs, tooling, etc..) label Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inigomarquinez inigomarquinez inigomarquinez left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
semver-ignore This change does not have any impact in semver (docs, tooling, etc..)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@UlisesGascon @wesleytodd @inigomarquinez