Skip to content

Resolve merge conflicts with actions/main#3

Merged
sgmurphy merged 149 commits into
sgmurphy:update-pr-commentfrom
niebloomj:resolve-main-conflicts
May 11, 2026
Merged

Resolve merge conflicts with actions/main#3
sgmurphy merged 149 commits into
sgmurphy:update-pr-commentfrom
niebloomj:resolve-main-conflicts

Conversation

@niebloomj

Copy link
Copy Markdown

Hi @sgmurphy — opening this so PR actions#941 can move forward. Merging this updates your update-pr-comment branch with current actions/main, which should clear the conflicts blocking actions#941.

What this does

  • Merges actions/dependency-review-action:main (as of today) into your update-pr-comment branch.
  • Resolves the only real conflict (dist/index.js.map — regenerated).
  • Adds the now-required show_patched_versions: false field to the test mock in __tests__/comment-pr.test.ts. main added this as a required field on ConfigurationOptions after you opened Update PR comment behavior for on-failure mode actions/dependency-review-action#941, so the bundle step (npm run package) wouldn't type-check without it.
  • Regenerates dist/ via npm run package.

Verification

  • npm ci, npm run build, npm run package, npm test all pass locally.
  • All 198 tests across 12 suites pass, including the 8 new tests in __tests__/comment-pr.test.ts.
  • Note: dist/ was rebuilt on Node 26 (local). CI uses Node 24, so maintainers should expect to regenerate dist/ on their side if there's a check-dist verification step — though actions/main removed .github/workflows/check-dist.yml, so this is unlikely to matter.

Next step

If you merge this into update-pr-comment, PR actions#941 should become mergeable against actions/main.

claire153 and others added 30 commits August 13, 2025 21:07
The documentation used to say that you needed to transform keys
in external config files from using `-` to `_`, but in reality
the code transforms `-` to `_` regardless of where they occur.

See 4b4ec08

Closes actions#909
…ns#956)

Bumps the minor-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.0` | `29.4.1` |
| [yaml](https://github.com/eemeli/yaml) | `2.8.0` | `2.8.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.7` | `20.19.10` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.1` | `5.5.4` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.2` |



Updates `ts-jest` from 29.4.0 to 29.4.1
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](kulshekhar/ts-jest@v29.4.0...v29.4.1)

Updates `yaml` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.0...v2.8.1)

Updates `@types/node` from 20.19.7 to 20.19.10
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.5.1 to 5.5.4
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/eslint-plugin-prettier@v5.5.1...v5.5.4)

Updates `typescript` from 5.8.3 to 5.9.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](microsoft/TypeScript@v5.8.3...v5.9.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-version: 29.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Address discrepancy between docs and reality
* Cut 4.7.2 version release

* Bump dependency minor versions
Bumps  and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together.

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

Updates `brace-expansion` from 2.0.1 to 2.0.2
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
- dependency-name: brace-expansion
  dependency-version: 2.0.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Add explicit permissions to workflow files
* Keep the issue number and remove the url to avoid linking every PR running the action to that issue
So can be scanned by code scanning
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
felickz and others added 28 commits February 27, 2026 22:58
Feat: Add `Patched Version` to `Vulnerabilities` summary
fix: only get scorecard levels if user wants to see the OpenSSF scorecard
…s/actions/stale-10.2.0

Bump actions/stale from 10.1.0 to 10.2.0
…s/actions/checkout-6

Bump actions/checkout from 4 to 6
- Bumps dependencies to fix vulnerabilities, supersedes dependabot PRs
- New version in package.json
- Slight correction to the release process in CONTRIBUTING.md
- Rebuilds dist/ packaged files

Closes actions#1062 actions#1063 actions#1028 actions#972 actions#971 actions#970
Add instructions file to help Copilot coding agent work efficiently with
this repository. Includes build/validation commands, project layout,
CI checks, style rules, testing patterns, and important notes about
the codebase conventions.
Add .github/copilot-instructions.md for Copilot coding agent
…nges (e.g. Maven beta versions)


 When showing patched versions in the vulnerability summary, advisories with version ranges containing non-strict semver components — such as Maven's >= 2.0-beta9, < 2.25.3 — would display "N/A" instead of the correct patched version. 
 
 The fix adds a coercion step in fail-open mode that rewrites invalid version components within the range string to their nearest valid semver equivalents (e.g. 2.0-beta9 → 2.0.0) before retrying validation, allowing the patched version lookup to succeed without affecting the fail-closed vulnerability detection path.

Adds test case for maven and another for golang for extra coverage
Node 20 is being deprecated and Node 24 is the latest LTS. This updates
the GitHub Actions runtime, CI workflows, type definitions, and
documentation to use Node 24.
Adds support for newer SPDX license identifiers such as FSL-1.1-MIT
that were not recognized in the previous version.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…20-to-24

Update Node.js runtime from 20 to 24
….0.23

Bump spdx-license-ids from 3.0.20 to 3.0.23
docs: bump actions/checkout from v4 to v6 in workflow examples
…or-non-string-semver-advisories

fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions)
- rebuilds package files
- updates version in package.json to v5.0.0
- small README update, to indicate minimum actions runner
@sgmurphy sgmurphy merged commit c2b21dc into sgmurphy:update-pr-comment May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.