Resolve merge conflicts with actions/main#3
Merged
sgmurphy merged 149 commits intoMay 11, 2026
Conversation
The documentation used to say that you needed to transform keys in external config files from using `-` to `_`, but in reality the code transforms `-` to `_` regardless of where they occur. See 4b4ec08 Closes actions#909
…lists Deprecate deny lists
…ns#956) Bumps the minor-updates group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.0` | `29.4.1` | | [yaml](https://github.com/eemeli/yaml) | `2.8.0` | `2.8.1` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.7` | `20.19.10` | | [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.1` | `5.5.4` | | [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.2` | Updates `ts-jest` from 29.4.0 to 29.4.1 - [Release notes](https://github.com/kulshekhar/ts-jest/releases) - [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md) - [Commits](kulshekhar/ts-jest@v29.4.0...v29.4.1) Updates `yaml` from 2.8.0 to 2.8.1 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v2.8.0...v2.8.1) Updates `@types/node` from 20.19.7 to 20.19.10 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint-plugin-prettier` from 5.5.1 to 5.5.4 - [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases) - [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md) - [Commits](prettier/eslint-plugin-prettier@v5.5.1...v5.5.4) Updates `typescript` from 5.8.3 to 5.9.2 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml) - [Commits](microsoft/TypeScript@v5.8.3...v5.9.2) --- updated-dependencies: - dependency-name: ts-jest dependency-version: 29.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-updates - dependency-name: yaml dependency-version: 2.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-updates - dependency-name: "@types/node" dependency-version: 20.19.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-updates - dependency-name: eslint-plugin-prettier dependency-version: 5.5.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-updates - dependency-name: typescript dependency-version: 5.9.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Address discrepancy between docs and reality
* Cut 4.7.2 version release * Bump dependency minor versions
Bumps and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together. Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) Updates `brace-expansion` from 2.0.1 to 2.0.2 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect - dependency-name: brace-expansion dependency-version: 2.0.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Add explicit permissions to workflow files
…ulti-c22e25d29b Bump brace-expansion
* Keep the issue number and remove the url to avoid linking every PR running the action to that issue
So can be scanned by code scanning
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Feat: Add `Patched Version` to `Vulnerabilities` summary
fix: only get scorecard levels if user wants to see the OpenSSF scorecard
…s/actions/stale-10.2.0 Bump actions/stale from 10.1.0 to 10.2.0
…s/actions/checkout-6 Bump actions/checkout from 4 to 6
- Bumps dependencies to fix vulnerabilities, supersedes dependabot PRs - New version in package.json - Slight correction to the release process in CONTRIBUTING.md - Rebuilds dist/ packaged files Closes actions#1062 actions#1063 actions#1028 actions#972 actions#971 actions#970
Updates for release 4.9.0
Add instructions file to help Copilot coding agent work efficiently with this repository. Includes build/validation commands, project layout, CI checks, style rules, testing patterns, and important notes about the codebase conventions.
Add .github/copilot-instructions.md for Copilot coding agent
…nges (e.g. Maven beta versions) When showing patched versions in the vulnerability summary, advisories with version ranges containing non-strict semver components — such as Maven's >= 2.0-beta9, < 2.25.3 — would display "N/A" instead of the correct patched version. The fix adds a coercion step in fail-open mode that rewrites invalid version components within the range string to their nearest valid semver equivalents (e.g. 2.0-beta9 → 2.0.0) before retrying validation, allowing the patched version lookup to succeed without affecting the fail-closed vulnerability detection path. Adds test case for maven and another for golang for extra coverage
Node 20 is being deprecated and Node 24 is the latest LTS. This updates the GitHub Actions runtime, CI workflows, type definitions, and documentation to use Node 24.
Adds support for newer SPDX license identifiers such as FSL-1.1-MIT that were not recognized in the previous version. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…20-to-24 Update Node.js runtime from 20 to 24
….0.23 Bump spdx-license-ids from 3.0.20 to 3.0.23
docs: bump actions/checkout from v4 to v6 in workflow examples
…or-non-string-semver-advisories fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions)
Resolve security findings
- rebuilds package files - updates version in package.json to v5.0.0 - small README update, to indicate minimum actions runner
v5.0.0 release branch
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi @sgmurphy — opening this so PR actions#941 can move forward. Merging this updates your
update-pr-commentbranch with currentactions/main, which should clear the conflicts blocking actions#941.What this does
actions/dependency-review-action:main(as of today) into yourupdate-pr-commentbranch.dist/index.js.map— regenerated).show_patched_versions: falsefield to the test mock in__tests__/comment-pr.test.ts.mainadded this as a required field onConfigurationOptionsafter you opened Update PR comment behavior foron-failuremode actions/dependency-review-action#941, so the bundle step (npm run package) wouldn't type-check without it.dist/vianpm run package.Verification
npm ci,npm run build,npm run package,npm testall pass locally.__tests__/comment-pr.test.ts.dist/was rebuilt on Node 26 (local). CI uses Node 24, so maintainers should expect to regeneratedist/on their side if there's a check-dist verification step — thoughactions/mainremoved.github/workflows/check-dist.yml, so this is unlikely to matter.Next step
If you merge this into
update-pr-comment, PR actions#941 should become mergeable againstactions/main.